Time-to-Patch Analysis

How fast do AI/ML packages respond to security vulnerabilities? Benchmarking 71 packages with 3+ known CVEs.

Based on NVD publication-to-modification data. Updated continuously.

71
Packages Analyzed
71.1d
Industry Average
0.0d
Fastest (Gemini CLI)
1372.0d
Slowest (TensorFlow)
CISO Analysis Data updated 2026-07-04

Executive Summary

The AI/ML ecosystem still has a patch-rate gap, but the picture is sharper than the early "crisis" narrative suggested. Across all CVE-to-package associations we track, 40.8% have a documented fix available (1,158 of 2,837 entries) — better than first feared, but well below the 60-70% rate typical of mainstream software. For CISOs managing AI deployments, this means patch management remains a strategic risk decision: when no vendor-supplied fix exists at the moment of disclosure, you cannot simply "patch and move on."

The packages topping the risk-score table are: torch (85/100), ollama (84), mlflow (81), gradio (80), litellm (79). These combine high CVE volume, critical severity, and in many cases active exploitation. They are not niche tools; they are foundational components of enterprise AI stacks.

Key Findings

  • 40.8% global patch coverage across 2,837 CVE-package associations. The remaining 1,158 associations have no documented fix in package metadata at the time of analysis.
  • torch remains #1 by risk score (85/100) — 45 CVEs, ~11% patch coverage. High blast radius through downstream dependents amplifies every vulnerability.
  • ollama (84/100) is the highest-risk inference platform with 27 CVEs including SSRF, authentication bypass, and command injection. Patch coverage at ~11% — release cadence outpaces backport discipline.
  • mlflow (81/100) has 74 CVEs making it the most vulnerability-dense MLOps platform. ~31% patch coverage. Path traversal, authentication bypass, and code execution dominate, particularly concerning given its role in model training pipelines.
  • gradio (80/100) and litellm (79/100) patch faster than peers. ~27% and ~46% of their CVE-products have a recorded fix respectively, meaningfully better than ollama or torch despite similar disclosure volume.
  • TensorFlow has the highest absolute CVE count (434) but a lower risk score (67/100) thanks to Google's relatively mature security process and faster patch cadence than newer frameworks.
  • Newer agent platforms still trail. Flowise, LangFlow, and similar tools continue to show patch coverage in the low double digits while their feature surface grows monthly.

Trend Analysis

The patch-velocity data reveals a fundamental tension in the AI ecosystem: speed of innovation versus security maturity. Established projects (TensorFlow, scikit-learn) maintain better patch coverage because they have dedicated security teams, established CVE processes, and corporate or community backing. The newer wave of LLM frameworks, agent platforms, and inference servers grow user bases faster than their security posture can keep pace.

The "move fast and break things" culture that drove web development's early years is repeating in AI tooling, with higher stakes. An unpatched RCE in a web framework affects a website. An unpatched RCE in an inference server affects every model it serves and every system it connects to.

OpenSSF Scorecard scores correlate moderately with patch velocity: packages scoring above 7/10 patch noticeably faster than those below 4/10. Branch protection, dependency updates, and a published security policy are reliable predictors of patch responsiveness — and they are visible to anyone evaluating a dependency before adopting it.

Recommendations

  1. Evaluate AI dependencies by patch velocity, not just functionality. When choosing between competing AI frameworks, include time-to-patch and patch coverage as selection criteria. A tool that patches in 7 days is categorically safer than one that takes 90 days, regardless of feature parity.
  2. Implement compensating controls for unpatched AI vulnerabilities. With ~40.8% patch coverage, you cannot rely on vendor patches alone. Deploy WAF rules, network segmentation, input validation, and runtime monitoring as compensating controls.
  3. Prioritize patching for the top-5 risk-score packages. If your stack includes torch, ollama, mlflow, gradio, or litellm, treat their CVEs as high-priority patch cycles — these combine high severity, active exploitation, and wide blast radius.
  4. Monitor OpenSSF Scorecards for your AI dependencies. Packages with scores below 4/10 are statistically more likely to have slow or missing patch cycles. Treat that as a red flag in procurement decisions.
  5. Budget for AI-specific vulnerability management. The patch gap means your team will spend disproportionate time on workarounds, compensating controls, and risk acceptances for AI components. Plan staffing and tooling accordingly.

Methodology

Time-to-patch metrics are derived from `cve_products.first_patched_version` — the earliest fixed version recorded against a CVE for a given package. Patch coverage is the share of CVE-product associations with a non-null patched version. Risk scores combine 7+ signals: CVE volume, severity distribution, EPSS exploitation probability, KEV status, blast radius (downstream dependents), OpenSSF scorecard, and patch responsiveness. Data sources include NVD, GitHub Security Advisories, PyPI, npm, OSV, and vendor changelogs. All numeric values in this analysis are pulled live from the database on every page load.

# Package CVEs Patched Patch Rate Avg Days
1 Gemini CLI 3 1 33% 0.0d
2 OpenAI Node 7 3 43% 0.0d
3 Streamlit 14 1 7% 0.0d
4 PraisonAI Agents 48 33 69% 0.1d
5 PraisonAI 123 101 82% 0.1d
6 Local Deep Research 3 3 100% 0.3d
7 H2O 13 1 8% 0.3d
8 LMDeploy 3 1 33% 0.3d
9 Microsoft APM 8 4 50% 0.7d
10 LoLLMs 9 3 33% 0.8d
11 Composio 4 1 25% 1.5d
12 Claude Code 37 27 73% 2.0d
13 Flowise 137 60 44% 2.6d
14 Anthropic Node 3 2 67% 2.9d
15 OpenClaw 488 199 41% 3.3d
16 LangGraph 12 10 83% 4.0d
17 HF Datasets 5 5 100% 4.4d
18 Open WebUI 116 89 77% 5.1d
19 Fickling 14 14 100% 5.4d
20 Panel 44 26 59% 6.0d
21 Anthropic Python 20 18 90% 6.1d
22 n8n 127 67 53% 7.0d
23 Chainlit 3 2 67% 7.2d
24 smolagents 8 2 25% 9.7d
25 MLX 4 2 50% 10.9d
26 picklescan 98 59 60% 11.8d
27 Cohere 8 1 13% 13.8d
28 BentoML 20 11 55% 14.1d
29 MONAI 5 5 100% 14.7d
30 MCP Atlassian 5 5 100% 16.5d
31 DeepSeek TUI 4 4 100% 16.6d
32 Langroid 7 7 100% 17.6d
33 Ollama 27 3 11% 18.1d
34 Diffusers 3 3 100% 18.1d
35 Jupyter 46 27 59% 19.6d
36 OpenAI Python 7 1 14% 23.0d
37 skops 3 3 100% 26.4d
38 XGrammar 4 4 100% 34.5d
39 LangChain Core 9 7 78% 35.5d
40 SageMaker 6 6 100% 36.3d
41 ONNX 11 10 91% 43.8d
42 LangChain Community 7 4 57% 47.6d
43 LiteLLM 35 16 46% 48.4d
44 LlamaIndex Core 7 7 100% 49.7d
45 LlamaIndex 15 13 87% 50.0d
46 vLLM 191 43 23% 50.8d
47 Keras 22 10 46% 57.4d
48 ExecuTorch 13 12 92% 64.1d
49 Langflow 75 30 40% 66.8d
50 MLflow 85 26 31% 75.6d
51 MS Swift 4 1 25% 84.2d
52 Transformers 52 22 42% 86.6d
53 InvokeAI 5 3 60% 91.6d
54 Gradio 82 22 27% 107.0d
55 Ray 13 10 77% 140.8d
56 Label Studio 7 5 71% 145.1d
57 LangChain 72 17 24% 155.6d
58 LLaMA Factory 4 3 75% 166.5d
59 Pydantic AI 9 9 100% 205.7d
60 PyTorch 55 6 11% 216.4d
61 Jupyter Notebook 20 12 60% 345.0d
62 PyTorch Lightning 7 4 57% 410.5d
63 TensorFlow 454 20 4% 1372.0d
64 Mistral AI 4 0 0% -
65 scikit-learn 3 0 0% -
66 LLaMA Factory 4 0 0% -
67 LlamaIndex 6 0 0% -
68 GPT Academic 6 0 0% -
69 WPBot 6 0 0% -
70 ChuanhuChatGPT 4 0 0% -
71 ChromaDB 6 0 0% -

Monitor your stack's patch velocity

Get real-time alerts when CVEs in your AI stack get patched. Track patch rates and response times for the packages you depend on.

Start Monitoring