Severity levels

Use severity levels to help you with vulnerability assessment for your applications.

Introduction to Snyk severity levels

Severity levels indicate the assessed level of risk, as one of Critical / High / Medium / Low:
This may allow attackers to access sensitive data and run code on your application
This may allow attackers to access sensitive data in your application
Under some conditions, this may allow attackers to access sensitive data on your application
Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application
Severity levels also apply to license issues. See Licenses.

Severity levels and Priority Scores

Severity levels are one factor feeding into Snyk's Priority Score for each vulnerability, along with factors such as Snyk’s Exploit Maturity and Reachable Vulnerabilities information.
See Snyk Priority Score for details.

Viewing severity levels

Severity levels are displayed throughout Snyk, to show this information at all times.
For example, in the Pending tasks section of the Dashboard:
Associated with your Snyk Projects:
Severity levels in Projects
Severity levels in Projects
And for each vulnerability in a project:
Severity levels in vulnerabilities
Severity levels in vulnerabilities

Determining severity levels

Severity levels and CVSS

The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.
At Snyk, we use CVSS framework version 3.1 to communicate the characteristics and severity of vulnerabilities.
CVSS score
9.0 - 10.0
7.0 - 8.9
4.0 - 6.9
0.0 - 3.9
The severity level and score are determined based on the CVSS Base Score calculations using the Base Metrics. The Temporal Score, based on the Temporal Metrics, affects the Priority Score.
Severity levels may not always align with CVSS scores. For example, Snyk Container severity scores for Linux vulnerabilities may vary depending on NVD severity rankings; see Understanding Linux vulnerability severity for more details.

Why are there multiple CVSS Scores for the same vulnerability?

  • ​When evaluating the severity of a vulnerability, it's important to note that there is no single CVSS vector - there are multiple CVSS vectors defined by multiple vendors, with the National Vulnerability Database (NVD) being one of them.
  • The majority of vulnerabilities published by Snyk originate from proprietary research, public information sources, or through 3rd party disclosures.
  • For example, when Snyk discovered the Critical Severity Spring4Shell vulnerability, the advisory published on March 30th, 2022, with the CVSS vector analysis, before an official CVE was assigned, and before NVD conducted their analysis, which was published 9 days later, on April 8th, 2022.
  • Having some differences in CVSS vectors is normal and expected. The likelihood of certain attack vectors will raise discrepancies, and judgments will need to be made about them in a way that makes sense for the application and use cases of open-source software users.
  • A vulnerability's severity is influenced by a variety of factors, including whether it comes from a "red team" angle or a "blue team" angle. To arrive at an objective and actionable rating, Snyk analysts examine the full range of data - from vendors to reporters to attackers.
  • There are times when a vendor discovers additional information about a vulnerability that can affect its severity. Users can find all the relevant information used to determine the severity that Snyk curated in the advisory's description and references.