cs.CRcs.SE
Cross-Ecosystem Vulnerability Analysis for Python Applications
Mar 19, 2026(revised May 28, 2026)
The paper introduces a provenance-aware vulnerability analysis approach that accurately identifies cross-ecosystem vulnerabilities in Python applications by resolving vendored native libraries to specific OS package versions, significantly reducing false positives.
Python applications depend on third-party native libraries that may be vendored within package distributions or installed on the host system. When vulnerabilities are discovered in these native libraries, determining which Python packages are affected requires analysis across ecosystem boundaries, from Python dependency graphs to OS distribution packages. Current vulnerability scanners produce false negatives by overlooking vulnerabilities in vendored native libaries and false positives by failing to account for security patches backported by OS distributions. We present a provenance-aware vulnerability analysis approach that resolves vendored libraries to specific OS package versions or upstream project releases. Our approach queries vendored libraries against a database of historical OS package artifacts using content-based hashing, and applies library-specific dynamic analyses to extract version information from binaries built from upstream source. We then construct cross-ecosystem call graphs by stitching together Python and binary call graphs across dependency boundaries, enabling reachability analysis of vulnerable functions. Evaluating on 100,000 Python packages and 10 known CVEs associated with third-party native dependencies, We identify 39 directly vulnerable packages (47M+ monthly downloads) and 312 indirectly vulnerable client packages affected through dependency chains. Our analysis reduces false positives by 52% on average compared to upstream version matching, and by up to 97% for heavily-patched libraries. We responsibly disclosed all findings to maintainers; 54 issues have been fixed to date.
A Large-scale Empirical Study on the Generalizability of Disclosed Java Library Vulnerability Exploi…
This paper conducts a large-scale empirical study demonstrating that Java librar…
Analyzing Vector Register Usage in Linux Packages to Understand Real-World Impact of Downfall Attack
This paper analyzes vector register usage across thousands of Linux packages to…
Broken Quantum: A Systematic Formal Verification Study of Security Vulnerabilities Across the Open-S…
The paper presents Broken Quantum, a comprehensive formal security audit that id…
Towards Predicting Multi-Vulnerability Attack Chains in Software Supply Chains from Software Bill of…
The paper proposes a graph-learning approach to predict multi-vulnerability atta…
Hardware Trojans from Invisible Inversions: On the Trojanizability of Standard Cell Libraries
The paper analyzes existing hardware Trojan datasets to demonstrate that standar…
Quantum-Safe Code Auditing: LLM-Assisted Static Analysis and Quantum-Aware Risk Scoring for Post-Qua…
The paper introduces Quantum-Safe Code Auditor, a novel static analysis framewor…
Agent Audit: A Security Analysis System for LLM Agent Applications
Agent Audit is a novel security analysis system that comprehensively audits LLM…
Context Matters: Repository-Aware Security Analysis of the Agent Skill Ecosystem
This paper conducts a large-scale, repository-aware security analysis of AI agen…