Introduction
A Vulnerability Exploitability eXchange (VEX) is a machine-readable file used to indicate whether vulnerabilities in an application’s third-party dependencies are actually exploitable.
We first encountered the term “VEX” in 2023 when we began publishing SBOMs and Vulnerability Disclosure Reports (VDRs) for Log4j, as part of a larger STF initiative. That work gave us the chance to learn directly from experts like Steve Springett (whom we sincerely thank for his time and patience). One key takeaway from that experience: there are two ways in the CycloneDX machine-readable format for conveying vulnerability information in software components:
-
- A Vulnerability Disclosure Report (VDR) lists vulnerabilities present in a software component. There’s debate about whether it should also include third-party dependency vulnerabilities, but in the case of Log4j (a Java library that bundles no third-party dependencies), the answer is clear: it does not matter.
- A Vulnerability Exploitability eXchange (VEX) goes further, analysing whether the vulnerabilities present are actually exploitable.
When the Absence of a VEX Became a Problem
At first, we were comfortable with our decision. But that changed when we helped Kafka migrate from Log4j 1 to Log4j 2. I suggested using more human-friendly YAML-formatted configuration files, only to be met with valid concerns:
-
-
- Adding log4j-core and its optional jackson-dataformat-yaml dependency could introduce security risks.
-
-
-
- Parsers are common sources of CVEs.
-
-
-
- While Log4j doesn’t bundle dependencies (we only provide metadata and recommendations), Kafka’s situation is different—each vulnerability in its transitive dependencies could force a new release.
-
VEX ante litteram
Log4j Core is a very controlled consumer of jackson-dataformat-yaml. But what about other consumers? Would they be vulnerable to transitive dependencies like SnakeYAML? You’d think so—but when I thoroughly analyzed several SnakeYAML CVEs, none turned out to be exploitable through Jackson.
Still, that kind of analysis is extremely time-consuming:
-
- Identify the exact method that caused the CVE (rarely detailed in CVE descriptions).
- Analyze how, if at all, that method can be reached through your dependency tree.
- Confirm there’s no sanitization or validation on any reachable path.
Surprisingly, some of this work has already been done for years by maintainers! For example, downstream projects often raise issues like:
“Please upgrade foo to version 1.2.3 due to CVE-2025-1234.”
What this request actually means is:
-
- Please confirm your library is compatible with the patched version.
- Please tell us whether the vulnerability is exploitable.
These kinds of request leave Open Source maintainers two choices:
-
-
- Publish machine-readable VEXes so tools can automatically dismiss non-exploitable issues and many user questions can be avoided.
-
- Or answer these questions only manually—repeatedly, and often redundantly.
-
Toward Faster, Smarter VEXes
The turning point came at FOSDEM 2025, where I met Munawar Hafiz (OpenRefactory). As we discussed the VEX burden, we realized much of the manual analysis could be automated.
In the months that followed, Munawar’s team built a prototype that automates two key parts of VEX creation:
-
-
-
- Identifying the vulnerable method(s) in a dependency
-
-
-
- Tracing all possible paths from the application to the vulnerability.
-
-
VEXes Come to Open Source
As of July 2025, we’re excited to share that a new VEX Initiative has been launched by the Alpha-Omega Fund. It will release OpenRefactory’s tooling under the Apache-2.0 license and integrate it into Apache Solr workflows.
The goal: generate more accurate and timely VEX files. For example, the first CVE addressed—CVE-2025-48924 (an infinite recursion in a Commons Lang method)—was reported just days after the initiative started. The analysis showed Solr was not vulnerable, meaning users don’t need to rush to upgrade to the next release.
This is only the beginning. We aim to push this effort up the dependency chain—supporting not just Solr, but also projects like Log4j and Apache Commons. This collaborative model allows us to distribute the effort: both the computational workload of automated analysis and the human effort required to review, validate, and interpret the results.
By working together across projects, we can reduce duplication, increase accuracy, and accelerate the delivery of trustworthy VEX files—benefiting the entire open source ecosystem.
What It Means for You
Under the EU’s Cyber Resilience Act (CRA), commercial vendors must ensure that:
“Products with digital elements shall be made available on the market without known exploitable vulnerabilities.”
Improved VEX tooling and publishing open up two practical paths for meeting the requirements of the CRA:-
- Patch your Solr installations to use dependency versions that are free of known CVEs.
- Leverage the Apache Solr VEX file to demonstrate to regulators that known vulnerabilities are not exploitable in your context.
It’s a win-win: stronger shared security, reduced duplication of effort, and a more resilient open source supply chain.
End Notes:
-
- The image at the top is generated by Sora. We used the following prompt: “Create an image for a blog post with the following title “How I Learned to Stop Worrying and Love the VEX” . Here VEX refers to the Vulnerability Exploitability eXchange document which is used to describe whether a vulnerability affects a downstream dependent application or not. Please use references from the Dr Strangelove movie while preparing the image.”
