Supported CVEs for reachability analysis

Fluid Attacks informs of the reachability status at the following levels:

Latent: (a) A vulnerable dependency is declared in the package manager, but (b) no file imports the dependency.
Potential: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, but (c) the vulnerable function in the dependency is not called from the code.
Reachable: (a) A vulnerable dependency is declared in the package manager, (b) the vulnerable dependency is imported in the code, and (c) the vulnerable function in the dependency is called from the code.

Below are two technical examples and an analogy for better comprehension:

Example in JS (Node.js):

package.json


{
  "name": "demo-app",
  "version": "1.0.0",
  "dependencies": {
    "vulnLib": "1.2.3"
  }
}

app.js


// LATENT: Library declared in package.json but not imported nor used
 
console.log("Hello world");
 
// POTENTIAL: Library imported but vulnerable function not used
 
import vulnLib from 'vulnLib',
console.log("Library loaded but dangerous function not used")
 
// REACHABLE: Library imported and vulnerable function is used
 
import vulnLib from 'vulnLib',
vulnLib.dangerousFunction(); // <- Risk activated

Example in Python

requirements.txt
vuln-lib==1.2.3

app.py


# LATENT: Library declared in requirements.txt but not imported nor used
print("Hello world")
 
# POTENTIAL: Library imported but vulnerable function not used
import vuln_lib
print("Library loaded but dangerous function not used")
 
# REACHABLE: Library imported and vulnerable function is used
import vuln_lib
vuln_lib.dangerousFunction() # <- Risk activated*`

Analogy

Latent
1. (a) The book is in the library (declared), but
2. (b) you do not read any chapter (not imported).
Potential
1. (a) The book is in the library (declared),
2. (b) you start reading any chapter (imported), but
3. (c) you do not read the faulty chapter.
Reachable
1. (a) The book is in the library (declared),
2. (b) you start reading any chapter (imported), and
3. (c) you read the faulty chapter and use it as a reference for your MBA thesis.

Supported

Latent and Potential

At the Latent and Potential levels, Fluid Attacks supports all CVEs (or other advisories) issued about vulnerable third-party dependencies or libraries in reliable vulnerability databases and written in all supported languages and package managers . See the list of sources in Vulnerability signature update .

Reachable

Currently, Fluid Attacks has methods to detect when software effectively calls known vulnerable functions reported in the CVE entries/advisories shown in the following table, where they are classified by the programming language in which the functions are written:

Language	CVE IDs	Number of methods
C#	CVE-2024-45302 CVE-2024-21907 CVE-2021-43045	3
Dart	CVE-2023-39139	1
Go	CVE-2025-27144	1
Java	CVE-2023-33202 CVE-2023-26919 CVE-2022-45690 CVE-2022-45689 CVE-2021-43570 CVE-2021-37573	6
JavaScript	CVE-2025-57810 CVE-2025-56200 CVE-2024-45590 CVE-2024-43796 CVE-2024-39338 CVE-2024-29415 CVE-2024-21538 CVE-2024-10491 CVE-2023-46233 CVE-2023-42282 CVE-2023-37466 CVE-2023-37903 CVE-2023-3696 CVE-2023-32314 CVE-2023-28155 CVE-2023-25813 CVE-2023-22579 CVE-2023-22578 CVE-2022-31129 CVE-2022-25887 CVE-2022-25881 CVE-2022-24785 CVE-2022-23540 CVE-2021-3918 CVE-2021-3749 CVE-2021-26540 CVE-2021-26539 CVE-2021-23771 CVE-2021-23566 CVE-2021-23382 CVE-2021-23337 CVE-2020-8203 CVE-2020-7766 CVE-2020-7712 CVE-2020-28500 CVE-2020-15084 CVE-2019-10775 CVE-2019-10744 CVE-2019-10742 CVE-2019-1010266 CVE-2018-16487 CVE-2018-3721 CVE-2018-1109 CVE-2017-18214 CVE-2017-16137 CVE-2017-16016 CVE-2016-10707 CVE-2016-1000237 GHSA-mm7p-fcc7-pg87 GHSA-9h6g-pr28-7cqp GHSA-9v62-24cr-58cx GHSA-4xcv-9jjx-gfj3	52
Kotlin	CVE-2021-43570	1
PHP	CVE-2021-3902	1
Python	CVE-2025-57833 CVE-2025-50181 CVE-2024-39303 CVE-2023-49083 CVE-2023-46136 CVE-2023-44271 CVE-2023-36053 CVE-2023-32681 CVE-2022-24859 CVE-2022-22817 CVE-2021-33503 CVE-2020-28975 CVE-2020-13091	13
Ruby	CVE-2024-41123 CVE-2024-35176 CVE-2023-22796 CVE-2021-41817 CVE-2021-32740	5
Scala	CVE-2021-41084	1
Swift	CVE-2023-44386	1
TypeScript	CVE-2025-57810 CVE-2025-56200 CVE-2024-45590 CVE-2024-43796 CVE-2024-39338 CVE-2024-29415 CVE-2024-21538 CVE-2024-10491 CVE-2023-46233 CVE-2023-42282 CVE-2023-37903 CVE-2023-37466 CVE-2023-3696 CVE-2023-32314 CVE-2023-28155 CVE-2023-25813 CVE-2023-22579 CVE-2023-22578 CVE-2022-31129 CVE-2022-25887 CVE-2022-25881 CVE-2022-24785 CVE-2022-23540 CVE-2021-3918 CVE-2021-3749 CVE-2021-26540 CVE-2021-26539 CVE-2021-23771 CVE-2021-23566 CVE-2021-23382 CVE-2021-23337 CVE-2020-8203 CVE-2020-7766 CVE-2020-7712 CVE-2020-28500 CVE-2020-15084 CVE-2019-10775 CVE-2019-10744 CVE-2019-10742 CVE-2019-1010266 CVE-2018-16487 CVE-2018-1109 CVE-2018-3721 CVE-2017-18214 CVE-2017-16137 CVE-2017-16016 CVE-2016-10707 CVE-2016-1000237 GHSA-mm7p-fcc7-pg87 GHSA-9h6g-pr28-7cqp GHSA-9v62-24cr-58cx GHSA-4xcv-9jjx-gfj3	52
Total methods		137

Unsupported

Latent and Potential

At the Latent and Potential levels, Fluid Attacks’ testing does not support CVEs/advisories outside its supported databases and supported languages and packages.

Reachable

At the Reachable level, Fluid Attacks’ analysis does not support any CVE/advisory corresponding to vulnerabilities in software libraries not listed in the above table.

Search for vulnerabilities in your apps for free with Fluid Attacks’ automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan . If you prefer the Advanced plan, which includes the expertise of Fluid Attacks’ hacking team, fill out this contact form .