OSV Vulnerabilities
Query vulnerabilities from OSV.dev across 38+ ecosystems.
Endpoint
GET /api/v1/osv/:packagePath Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
package | string | Yes | Package name to query |
Query Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
ecosystem | string | all | Specific ecosystem to query (e.g., npm, PyPI, Debian) |
version | string | - | Filter vulnerabilities affecting this version |
Response (Single Ecosystem)
json
{
"success": true,
"data": {
"package": "express",
"ecosystem": "npm",
"version": "any",
"vulnerabilities": [
{
"id": "GHSA-rv95-896h-c2vc",
"modified": "2024-01-10T12:00:00Z",
"summary": "Express allows untrusted input to be included in redirects",
"severity": "high"
}
]
},
"timestamp": "2024-01-15T12:00:00.000Z"
}Response (All Ecosystems)
When no ecosystem is specified, results are grouped by ecosystem:
json
{
"success": true,
"data": {
"package": "curl",
"ecosystem": "all",
"version": "any",
"vulnerabilities": {
"Debian": [
{
"id": "DEBIAN-CVE-2024-0853",
"modified": "2024-01-15T00:00:00Z"
}
],
"Ubuntu": [
{
"id": "USN-6641-1",
"modified": "2024-01-14T00:00:00Z"
}
],
"Alpine": [
{
"id": "CVE-2024-0853",
"modified": "2024-01-15T00:00:00Z"
}
]
}
},
"timestamp": "2024-01-15T12:00:00.000Z"
}Response Fields
Vulnerability Object
| Field | Type | Description |
|---|---|---|
id | string | OSV vulnerability identifier |
modified | string | Last modification timestamp |
summary | string | Brief vulnerability description (when available) |
severity | string | Severity level (when available) |
Examples
Query All Ecosystems
bash
# Returns vulnerabilities from all 38+ ecosystems
curl "https://api.vulnpatch.dev/api/v1/osv/openssl"Query Specific Ecosystem
bash
# Query npm only
curl "https://api.vulnpatch.dev/api/v1/osv/express?ecosystem=npm"
# Query PyPI only
curl "https://api.vulnpatch.dev/api/v1/osv/requests?ecosystem=PyPI"
# Query Debian only
curl "https://api.vulnpatch.dev/api/v1/osv/curl?ecosystem=Debian"Query With Version
bash
curl "https://api.vulnpatch.dev/api/v1/osv/lodash?ecosystem=npm&version=4.17.20"Code Examples
javascript
async function getVulnerabilities(packageName, ecosystem = null) {
let url = `https://api.vulnpatch.dev/api/v1/osv/${packageName}`;
if (ecosystem) {
url += `?ecosystem=${ecosystem}`;
}
const response = await fetch(url);
const { data } = await response.json();
if (ecosystem) {
console.log(`Found ${data.vulnerabilities.length} vulnerabilities`);
for (const vuln of data.vulnerabilities) {
console.log(`- ${vuln.id}: ${vuln.summary || 'No summary'}`);
}
} else {
// Results grouped by ecosystem
for (const [eco, vulns] of Object.entries(data.vulnerabilities)) {
console.log(`${eco}: ${vulns.length} vulnerabilities`);
}
}
}python
import requests
def get_vulnerabilities(package_name, ecosystem=None):
params = {}
if ecosystem:
params['ecosystem'] = ecosystem
response = requests.get(
f'https://api.vulnpatch.dev/api/v1/osv/{package_name}',
params=params
)
data = response.json()['data']
if ecosystem:
print(f"Found {len(data['vulnerabilities'])} vulnerabilities")
for vuln in data['vulnerabilities']:
print(f"- {vuln['id']}: {vuln.get('summary', 'No summary')}")
else:
# Results grouped by ecosystem
for eco, vulns in data['vulnerabilities'].items():
print(f"{eco}: {len(vulns)} vulnerabilities")Supported Ecosystems
See Supported Ecosystems for the complete list of 38+ ecosystems.
Common Ecosystems
- Package Managers:
npm,PyPI,Go,crates.io,RubyGems,Maven,NuGet - Linux Distros:
Debian,Ubuntu,Alpine,Rocky Linux,AlmaLinux - Containers:
Chainguard,Wolfi,Bitnami
Empty Results
If no vulnerabilities are found:
json
{
"success": true,
"data": {
"package": "raylib",
"ecosystem": "all",
"version": "any",
"vulnerabilities": {}
}
}This doesn't mean the package is secure - it may not be tracked in OSV databases.
Caching
This endpoint is cached for 15 minutes. The X-Cache header indicates cache status.