A Large-scale Empirical Study on the Generalizability of Disclosed Java Library Vulnerability Exploits

A research team from Zhejiang University and Huazhong University of Science and Technology has published the first large-scale empirical study on the generalizability of disclosed Java library vulnerability exploits. Their work systematically challenges the widely held assumption that exploits are version-specific and cannot be applied across different library versions. The researchers constructed a comprehensive dataset of 259 exploits spanning 128 Java libraries and 28,150 historical versions, covering 61 Common Weakness Enumerations (CWEs) that account for 76.33% of vulnerabilities in Maven. They executed each exploit against the full version history of its target library and compared outcomes with manually annotated ground-truth affected versions.

The results revealed that, even without any migration or adaptation, the exploits achieved an impressive 83.0% recall and 99.3% precision in identifying affected versions. This performance notably surpasses that of most widely used vulnerability databases and assessment tools. The capability enabled the researchers to contribute 796 confirmed missing affected versions to the National Vulnerability Database's CPE (Common Platform Enumeration) dictionary. For the remaining 17% of failures, the team investigated root causes—primarily compatibility issues from library evolution and changing environmental constraints—and successfully manually migrated exploits for 1,885 versions. From these cases, they distilled a taxonomy of 10 adaptation strategies, increasing the overall recall to 96.1%. This research provides a significant, data-driven foundation for improving software supply chain security tools and practices.