6 hours Ago
NEW YORK , April 24, 2025 /PRNewswire/ -- Hopper, the enterprise solution for open-source software (OSS) security, today announced groundbreaking research revealing over 2.5 million hidden vulnerabilities in shaded and repackaged Java dependencies. In a blog post titled " Fifty Shades of JAR: A Love Story Between Devs and CVEs ," the Hopper team analyzed more than 16 million Java artifacts from Maven Central, uncovering a widespread industry blind spot: vulnerabilities buried inside Uber JARs and shaded packages that escape detection due to metadata loss and namespace obfuscation.
"Most security tools heavily rely on metadata in manifest files to detect and assess risk. In Java, shading is a build process similar to copying, pasting, and renaming packages to avoid dependency conflicts. This strips away critical metadata and breaks the connection to known vulnerabilities.
As a result, SCA tools lose visibility into the shaded code. Hopper uses binary analysis to inspect the compiled code directly, restoring visibility and exposing hidden risks that others miss." Key Findings Over 231K packages contained shaded dependencies These 231K packages shaded over 231K packages contained shaded dependencies These 231K packages shaded 1.
4 million distinct packages 2.5 million vulnerabilities were identified in these 1.4M packages, including: 425,000 critical vulnerabilities 1.
2 million high severity vulnerabilities Over 8,000 CISA KEVs More than 3,000 instances of Log4j ( CVE-2021 -44228) 47% increase in detected vulnerabilities for a Fortune 200 company after enabling shaded analysis These findings raise critical questions about the industry's reliance on package metadata, particularly as shaded and repackaged code become standard in modern Java development. The Technical Root: Java Shading and the Metadata Mirage Shading, a common practice in Java build systems like Maven and Gradle, renames package paths to avoid conflicts. While effective for dependency management, shading strips out key metadata and obscures vulnerability inheritance.
As a result, Software Composition Analysis (SCA) tools, which rely on POM files and package registries, fail to detect real, exploitable vulnerabilities embedded in production code. "Security visibility breaks the moment a dependency is removed from the manifest," said Gutman. "The code is still there.
The risk is still real. But most scanners never look deep enough to find it." Hopper's Approach: Binary-Level Precision Hopper inspects the actual bytecode of Java binaries.
Its static analysis engine maps function-level reachability and traces the origin of vulnerable functions, even when code has been shaded or relocated. By focusing on whether a vulnerable function is truly present and exploitable, Hopper eliminates over 93% of security noise and delivers actionable, high-confidence findings. "This is not about surfacing more CVEs," said Gutman.
"It's about identifying the vulnerabilities that matter. Those that live in your execution path and could actually be exploited." What This Means for Security Teams Hopper's findings signal a wake-up call for security and development leaders: Shaded and embedded code cannot be ignored : Without visibility into the binary, organizations face hidden risk exposure.
CVE tracking is no longer enough : Metadata-based scanning is insufficient when identity is altered through shading. Function-level context is now table stakes : Security teams need reachability-aware tools that reflect how software is actually built and deployed. Hopper is not just reducing noise.
It is redefining what effective open-source security looks like. Learn more at www.hopper.
security Media Contact Valerie Zargarpur [email protected] SOURCE Hopper.
