LLM-Enabled Open-Source Systems in the Wild: An Empirical Study of Vulnerabilities in GitHub Security Advisories

TL;DR

This study analyzes GitHub Security Advisories related to LLMs, revealing that existing vulnerability frameworks capture code weaknesses but overlook model-mediated risks, emphasizing the need for combined perspectives.

Contribution

It provides an empirical analysis of LLM-related vulnerabilities in open-source systems, highlighting architectural risks and the limitations of current vulnerability disclosure frameworks.

Findings

Most advisories map to established CWEs like injection and deserialization.

OWASP analysis uncovers recurring architectural risks such as Supply Chain and Prompt Injection.

Existing frameworks underrepresent model-mediated exposure risks.

Abstract

Large language models (LLMs) are increasingly embedded in open-source software (OSS) ecosystems, creating complex interactions among natural language prompts, probabilistic model outputs, and execution-capable components. However, it remains unclear whether traditional vulnerability disclosure frameworks adequately capture these model-mediated risks. To investigate this, we analyze 295 GitHub Security Advisories published between January 2025 and January 2026 that reference LLM-related components, and we manually annotate a sample of 100 advisories using the OWASP Top 10 for LLM Applications 2025. We find no evidence of new implementation-level weakness classes specific to LLM systems. Most advisories map to established CWEs, particularly injection and deserialization weaknesses. At the same time, the OWASP-based analysis reveals recurring architectural risk patterns, especially Supply Chain, Excessive Agency, and Prompt Injection, which often co-occur across multiple stages of execution. These results suggest that existing advisory metadata captures code-level defects but underrepresents model-mediated exposure. We conclude that combining the CWE and OWASP perspectives provides a more complete and necessary view of vulnerabilities in LLM-integrated systems.