Eighty-seven percent of organizations have at least one exploitable software vulnerability in production, affecting 40% of all services, a new report from DataDog has revealed.
The observability and security specialist revealed the findings in its State of DevSecOps Report, which is based on telemetry from tens of thousands of applications and additional datasets.
It noted that vulnerabilities are most common in Java services (59%), followed by .NET (47%) and Rust (40%).
However, not all CVEs need prioritizing. DataDog claimed that only 18% of critical dependency vulnerabilities stay critical after adjusting the severity score according to runtime and CVE context.
This is most common in .NET environments: Datadog said that 98% of .NET dependency vulnerabilities are downgraded from critical once context is considered.
By context, it means whether the vulnerability is in production, whether the affected service is under active attack, the availability of an exploit, and the likelihood of exploitation.
“When almost everything is labeled ‘critical,’ nothing is,” argued Andrew Krug, head of security advocacy at Datadog.
“Teams get paged for noise while threats that pose real risk slip through. Without context, prioritization becomes harder – leading to burnout, slower response times and accumulated risk. Teams need better visibility into what actually requires action.”
Update Quickly, but Not Too Quickly
The report also revealed security risks at both ends of the software lifecycle.
The median software dependency is now 278 days out of date – 63 days more than last year’s figure. Java (492 days) and Ruby (357) dependencies fared even worse.
This matters, because older versions are more likely to have more vulnerabilities, the report claimed.
Broken down by service, libraries published in 2025 have on average 1.3 vulnerabilities, compared to 1.9 in 2024 and 3.8 in 2023.
However, updating dependencies too quickly could also land developers in trouble.
The report found that half of organizations (50%) adopt new library versions within 24 hours of release, and only 4% pin all public GitHub Actions to a specific version using commit hashes.
This unwittingly exposes build and deployment pipelines to silent changes in third-party code, Datadog claimed.
Supply chain attacks like s1ngularity and Shai-Hulud spread in part due to DevOps teams using malicious versions of libraries as soon as they were released, the report noted. To mitigate this risk, Datadog recommended pinning dependency versions to a full-length commit Secure Hash Algorithm (SHA).
Krug argued that security practices haven’t kept pace with the way software is built today.
“DevSecOps teams are caught between moving too slowly and moving too fast. Go slow, and outdated software accumulates known vulnerabilities. Go fast, and automation can introduce unvetted code,” he added.
“The real challenge, though, isn’t speed – it’s clarity. As environments grow more complex, AI-assisted workflows help ensure top priorities get attention first.”