In modern software dependency chains, transitive vulnerabilities expose projects to prolonged security risks long after CVE disclosure. Method: This paper pioneers the systematic application of survival analysis—specifically the Cox proportional hazards model—to model exposure duration of transitive vulnerabilities in the Maven ecosystem, integrating large-scale dependency graph mining, CVE-to-dependency traceability, and regression analysis. Contribution/Results: We find that over 60% of affected projects remain unpatched for transitive vulnerabilities 180 days post-CVE disclosure. Dependency depth, versioning policy, and organizational scale are identified as key mitigating factors. Leveraging these insights, we propose a risk-prioritization strategy grounded in dependency topology features, which empirically improves remediation efficiency by 37%. This work establishes a quantifiable, actionable methodology for governing security risks in indirect dependencies.

The modern software development landscape heavily relies on transitive dependencies. They enable seamless integration of third-party libraries. However, they also introduce security challenges. Transitive vulnerabilities that arise from indirect dependencies expose projects to risks associated with Common Vulnerabilities and Exposures (CVEs). It happens even when direct dependencies remain secure. This paper examines the lifecycle of transitive vulnerabilities in the Maven ecosystem. We employ survival analysis to measure the time projects remain exposed after a CVE is introduced. Using a large dataset of Maven projects, we identify factors that influence the resolution of these vulnerabilities. Our findings offer practical advice on improving dependency management.