Tech Support
Documentation
Login
Contact Us
TuxCare BlogThe Hidden Threats in Your Code: Securing Direct & Transitive Dependencies
by Pawel Pawlak
March 20, 2025 - TuxCare expert team
Open-source (OSS) dependencies account for over 80% of the code in today’s applications. These dependencies include both those explicitly chosen by developers and transitive dependencies, which require unique dependency management strategies.
When developing a project, programmers frequently incorporate third-party dependencies to simplify their work. These direct dependencies are explicitly declared within the project, often using tools like Maven or Gradle.
However, these libraries may also utilize dependencies, creating transitive dependencies that are not directly imported into the project, but rather by other dependencies. This nested structure of dependencies highlights the interconnected nature of software development and the reliance on external code.
Attackers are only interested in whether a vulnerability can be exploited, not whether it exists in a direct or transitive dependency. Furthermore, first-party code frequently directly calls methods in transitive dependencies, establishing a direct relationship between your code and the code in those dependencies.
The attack surface expands due to transitive dependencies, leaving systems vulnerable to exploitation in a number of ways. There are a few common attack vectors you should be aware of:
Dependency confusion can lead to significant security risks, as demonstrated by security researcher Alex Birsan’s 2020 exploit. Birsan identified that companies often inadvertently use internal package names in public repositories. He uploaded malicious packages with identical names and higher version numbers to public repositories, which tricked dependency managers into downloading and executing his code, impacting major organizations. This highlighted the potential for data breaches and substantial financial and reputational damage had his intentions been malicious.
Malicious package injection presents another threat, where attackers compromise existing trusted packages. By taking control of a maintainer’s account or introducing harmful updates, they can insert malicious code without arousing suspicion. A recent example involved exploiting GitHub’s Dependabot, an automated dependency management tool. Attackers gained unauthorized access and submitted fake pull requests disguised as legitimate Dependabot contributions. These seemingly routine updates, labeled as “security fixes” or “patches,” deceived developers into merging them, enabling the attackers to harvest and misuse sensitive data.
Exploiting neglected dependencies is yet another attack vector to be cognizant of. Unmaintained libraries, often overlooked by developers, become easy targets. The 2021 Log4Shell vulnerability in Apache Log4j exemplifies this risk: the vulnerability allowed remote code execution, but the widespread impact stemmed from Log4j’s prevalence as a transitive dependency in numerous systems. Attackers swiftly exploited this flaw, leaving organizations scrambling to locate and update the hidden library within their complex dependency structures.
TuxCare provides security patching for Java Spring projects with both direct dependencies and for java ecosystem projects, so often included with transitive dependencies.
Our Endless Lifecycle Support (ELS) for Spring delivers ongoing security updates for end-of-life Spring projects, including Spring Boot, Spring Framework, Spring Data, and more – so you can safely stay on your unsupported Spring version for as many years as you need.
Need to secure your Spring applications? Get a quote or ask us a question about ELS for Spring here.
