CVE Scanning¶
Escape automatically scans every detected technology for known CVEs (Common Vulnerabilities and Exposures). Once technologies are identified on your assets, they are matched against a comprehensive vulnerability database to surface dependencies with known security issues.
Why it matters: vulnerable dependencies are one of the most common attack vectors. Escape turns your technology inventory into an actionable vulnerability assessment — continuously, without manual effort.
How It Works¶
- Technology Detection — Escape identifies technologies running on your assets through fingerprinting and dependency analysis.
- Vulnerability Matching — Each detected technology is matched against a vulnerability database containing 170,000+ known CVEs across thousands of different technology products.
- Finding Generation — When a match is found, a finding is created with full context: CVE ID, severity score, description, affected versions, fix version (when available), and reference links.
The vulnerability database is updated daily, ensuring that newly disclosed CVEs are picked up on subsequent scans without any action on your part.
Versioned vs Versionless Matching¶
The accuracy of CVE matching depends on whether a specific version was detected:
| Detection | Matching approach | Confidence |
|---|---|---|
Versioned (e.g. express@4.17.1) | Precise matching against known affected version ranges | High — only CVEs that affect the exact version are reported |
Versionless (e.g. nginx, no version) | Best-effort matching using standard product identifiers | Adjusted — findings are reported at reduced severity with a capped number of results per technology |
Versionless matching ensures you still get visibility into potential risks even when version information is not available, while keeping the signal-to-noise ratio manageable.
What Gets Reported¶
Each CVE finding includes:
- CVE ID — The unique identifier (e.g.
CVE-2024-12345) - Severity — CVSS-based severity rating (Critical, High, Medium, Low)
- Description — What the vulnerability is and how it can be exploited
- Affected Versions — The version range impacted by the CVE
- Fix Version — The version that resolves the vulnerability (when available)
- References — Links to advisories and technical details
Findings appear in the platform as Vulnerable Dependency Detected issues, linked to both the affected technology and the asset it was found on.
Coverage¶
Escape tests for 170,000+ known CVEs across thousands of different technologies, covering:
- Web servers, application frameworks, and programming languages
- JavaScript libraries, Python packages, and dependencies from all major package ecosystems
- Databases, CMS platforms, reverse proxies, and infrastructure software
- Frontend JavaScript libraries embedded in web applications
The vulnerability database aggregates data from multiple upstream sources — including national vulnerability feeds, OS vendor advisories, and community-maintained advisory databases — and is rebuilt daily.
Vulnerability Reference¶
For detailed information on specific vulnerability tests, see the Security Tests Reference. CVE-related tests include:
- Vulnerable Dependency Detected — Technologies with known CVEs detected through dependency and fingerprint analysis
- Vulnerable JavaScript Library — Frontend JavaScript libraries with known CVEs detected through client-side code analysis