A CVE identifier by itself doesn't tell you whether you're exposed. Read the advisory for four things.
The four questions
- Affected versions — is the vulnerable range one you actually run? Check your lockfile, not your intent.
- Attack vector — network vs local, and whether it needs authentication or user interaction. A network, unauthenticated RCE is a different Tuesday than a local DoS.
- Reachability — do you call the vulnerable code path, or merely ship the dependency? Most shipped vulnerabilities are never reached.
- Fixed version — and whether that upgrade is safe for you to take now.
On CVSS
CVSS is a starting point, not a verdict. A 9.8 you don't reach is lower real risk than a 6.5 on your hot path. Prioritize by reachability and exposure, then patch.
Triage workflow
osv-scanner --lockfile package-lock.json # what actually affects your pinned deps
# then, per hit: confirm version range, check if you import the affected symbol, plan the bump