This paper addresses the challenge of tracing cross-ecosystem propagation of security vulnerabilities in open-source software ecosystems. We systematically characterize the topological structure and temporal dynamics of over 84,000 CVEs across 28 major package ecosystems. Leveraging multi-source CVE data and dependency graphs, we construct a cross-ecosystem propagation network and apply graph-based modeling alongside statistical association analysis. Our findings reveal that vulnerability propagation exhibits strong nonlinearity, long median delays (127 days), and weak dependence on ecosystem size—challenging the prevailing assumption that larger ecosystems propagate vulnerabilities faster. We identify GitHub, Debian, and Ubuntu as critical hub nodes and quantify the empirical distribution of propagation delays. This work provides the first large-scale empirical foundation and methodological framework to support coordinated, cross-ecosystem vulnerability response mechanisms.

The paper presents a traceability analysis of how over 84 thousand vulnerabilities have propagated across 28 open source software ecosystems. According to the results, the propagation sequences have been complex in general, although GitHub, Debian, and Ubuntu stand out. Furthermore, the associated propagation delays have been lengthy, and these do not correlate well with the number of ecosystems involved in the associated sequences. Nor does the presence or absence of particularly ecosystems in the sequences yield clear, interpretable patterns. With these results, the paper contributes to the overlapping knowledge bases about software ecosystems, traceability, and vulnerabilities.