OSSF Scorecard Flags 13 Unpatched Vulnerabilities in Rust & Go Dependencies, Including Critical Go Flaw

A routine security scan by the Open Source Security Foundation (OSSF) Scorecard has exposed a lingering supply-chain risk: 13 unaddressed security advisories embedded within project dependencies. The findings, which include one critical and one high-severity flaw, signal a direct and quantifiable exposure to known Common Vulnerabilities and Exposures (CVEs) that could be exploited upstream.

The scan identified 12 low-severity advisories within the Rust ecosystem, with several flagged as originating from unmaintained crates (RUSTSEC-2024-0384, RUSTSEC-2024-0436). More critically, it surfaced a single advisory in the Go module ecosystem, GO-2025-3922, which carries a combined critical/high severity rating. This mix of low-severity Rust issues and a high-impact Go vulnerability creates a multi-vector attack surface that currently depresses the project's overall security score.

Failure to remediate these advisories maintains an active, known-CVE exposure within the software supply chain. While the majority are low-risk, the presence of a critical/high-severity flaw in a core dependency represents a significant, prioritized threat. The OSSF Scorecard explicitly warns that addressing these issues is required to lift the Vulnerabilities sub-score and reduce the project's attack profile. The onus is now on maintainers to validate each finding via `cargo audit` and `govulncheck` before initiating patches.