This study addresses the security risks arising from prolonged unpatched dependencies in the Maven ecosystem. We conduct the first large-scale empirical analysis by leveraging the Goblin framework to perform static metadata mining on open-source libraries, integrating CWE classification and time-series analysis to systematically examine disclosure latency and patching timeliness across 77,393 vulnerable release versions—spanning 226 distinct CWE types. Results reveal a median vulnerability remediation period of 4.4 years, with documentation often delayed by nearly five years; some vulnerabilities remain unpatched for over a decade. This work provides the first quantitative characterization of temporal lag and governance failure in Maven ecosystem vulnerability evolution. It delivers critical empirical evidence and methodological support for dependency risk assessment, vulnerability response strategies, and software supply chain security governance.

Vulnerabilities in software libraries and reusable components cause major security challenges, particularly in dependency-heavy ecosystems such as Maven. This paper presents a large-scale analysis of vulnerabilities in the Maven ecosystem using the Goblin framework. Our analysis focuses on the aspects and implications of vulnerability types, documentation delays, and resolution timelines. We identify 77,393 vulnerable releases with 226 unique CWEs. On average, vulnerabilities take nearly half a decade to be documented and 4.4 years to be resolved, with some remaining unresolved for even over a decade. The delays in documenting and fixing vulnerabilities incur security risks for the library users emphasizing the need for more careful and efficient vulnerability management in the Maven ecosystem.