What is A06 Vulnerable and Outdated Components?
Your own code can be perfect, but a library, framework, or dependency you pull in has a publicly known CVE — and attackers scan for exactly those versions. The fix is knowing what you depend on and patching it fast.
The textbook example is Equifax (2017): a known, patched flaw in the Apache Struts framework went un-updated for months, and attackers used it to breach 147 million records. The lesson is that modern apps are mostly other people's code (often 80%+ by line count), so "is anything I depend on vulnerable?" is a question you must answer continuously, not once. Tools like Dependency-Track and the NVD CVE database automate that watch.
Issues:
- Outdated components with known vulnerabilities
- Unsupported components (no security patches)
- Insufficient patching process
- Insufficient testing after updates
Countermeasures:
- Remove unnecessary dependencies
- Update regularly based on risk
- Continuously monitor components (e.g., Dependency Track)
- Obtain components from official sources only
See: OWASP Dependency-Track | NVD — search known CVEs for your components
Go deeper:
OWASP Top 10 — A06: Vulnerable and Outdated Components — canonical category page.