What is CVSS (CVSS score)?
Common Vulnerability Scoring System — a 0.0-10.0 numeric score quantifying a vulnerability's severity. CVSS 3.1 is the current standard; CVSS 4.0 was published 2023 and is gaining adoption. Used to prioritize patching and to gate deploys.
Full explanation
CVSS produces a 0-10 score from a vector of metrics: Attack Vector (Network / Adjacent / Local / Physical), Attack Complexity (Low / High), Privileges Required, User Interaction, Scope, and the CIA triad impact (Confidentiality / Integrity / Availability). The score is broken into severity buckets: 0.1-3.9 Low, 4.0-6.9 Medium, 7.0-8.9 High, 9.0-10.0 Critical. Most deploy-gate policies block on Critical (>= 9.0) and require manual approval for High (>= 7.0). CVSS 4.0 added a Threat metric group (exploit maturity, automatable, recovery) to better capture real-world exploitability vs theoretical risk.
Example
CVE-2025-29927 (Next.js middleware bypass) has a published CVSS of 9.1 (Critical) — Network attack vector, Low complexity, no privileges or user interaction required, full Confidentiality + Integrity + Availability impact. A deploy-gate policy of 'block Critical CVEs in dependencies' would refuse to ship a build that includes a vulnerable Next.js version.
Related
FAQ
Is CVSS the right severity metric for my app?
It is the industry-standard baseline; not always the right answer for your specific context. A CVSS 7.5 vulnerability in a library you don't use is irrelevant; a CVSS 5.0 vulnerability in your auth library may be critical to YOU. Use CVSS as the starting filter, then adjust by reachability (does your code actually call the vulnerable function) + exposure (is it on a public route).
How does CVSS 4.0 differ from 3.1 in practice?
4.0 produces a multi-component score: Base (the technical vulnerability) + Threat (real-world exploitability) + Environmental (impact in YOUR environment) + Supplemental (operational considerations). The Threat component is the biggest practical change — it shifts a CVE's score based on whether public exploits exist, whether it's been seen in active campaigns, and how automatable the attack is.