Severity levels

Use severity levels to help you with vulnerability assessment for your applications. Severity levels indicate the assessed level of risk, as Critical, High, Medium, or Low. Snyk reports the number of vulnerabilities at each level of severity in many places in the Snyk application. The display varies; a typical example follows.
Issues at each level of severity, C, H, M, and L
Severity levels also apply to license issues. See Licenses.
The severity levels are defined in the following table.
May allow attackers to access sensitive data and run code on your application
May allow attackers to access sensitive data in your application
Under some conditions, may allow attackers to access sensitive data on your application
Application may expose some data that allows vulnerability mapping, which can be used with other vulnerabilities to attack the application

Severity levels and Priority Score

Severity levels are one factor used in determining the Snyk Priority Score for each vulnerability. Other factors include Snyk Exploit Maturity and Reachable Vulnerabilities information.
See Snyk Priority Score for details.

How to view severity levels

Severity levels are displayed throughout Snyk, to keep this information visible at all times.
For example, the severity levels appear in the Pending tasks section of the Dashboard:
Severity levels with Pending tasks
Severity levels are displayed in association with your Snyk Projects:
Severity levels assoicated with Projects
Severity levels associated with Projects
The number of issues at each severity level is also displayed in the left sidebar of an issue card:
Issue card; severity levels in sidebar
Issue card; severity levels in sidebar

How Snyk determines severity levels

Severity levels and CVSS

The Common Vulnerability Scoring System (CVSS) determines the severity level of a vulnerability.
Snyk uses the CVSS framework version 3.1 to designate the characteristics and severity of vulnerabilities.
CVSS score
9.0 - 10.0
7.0 - 8.9
4.0 - 6.9
0.0 - 3.9
The severity level and score are determined based on the CVSS Base Score calculations using the Base Metrics. The Temporal Score, based on the Temporal Metrics, affects the Priority Score.
Severity levels may not always align with CVSS scores. For example, Snyk Container severity scores for Linux vulnerabilities may vary depending on NVD severity rankings; see Understanding Linux vulnerability severity for details.

Why are there multiple CVSS Scores for the same vulnerability?

There are multiple CVSS Scores for the same vulnerability for several reasons:
  • ​When evaluating the severity of a vulnerability, it is important to note that there is no single CVSS vector. There are multiple CVSS vectors defined by multiple vendors; the National Vulnerability Database (NVD) is one.
  • The majority of vulnerabilities published by Snyk originate from proprietary research, public information sources, or through third-party disclosures. For example, when Snyk discovered the Critical Severity Spring4Shell vulnerability, the advisory was published on March 30, 2022, with the CVSS vector analysis. This was before an official CVE was assigned and before NVD conducted its analysis, which was published nine days later on April 8, 2022.
  • Having some differences in CVSS vectors is normal and expected. The likelihood of certain attack vectors will involve discrepancies and judgments made about them that make sense for the application and use cases of open source software users.
  • The severity of a vulnerability is influenced by a variety of factors, including whether it comes from a "red team" angle or a "blue team" angle. To arrive at an objective and actionable rating, Snyk analysts examine the full range of data, from vendors to reporters to attackers.
  • There are times when a vendor discovers additional information about a vulnerability that can affect its severity. Users can find all the relevant information used to determine the severity that Snyk curated in the description and references of the advisory.