Why 90% of Java Services Harbor Critical Vulnerabilities – Datadog 2024 Report

According to Datadog’s “2024 DevSecOps State” report, 90% of Java services have at least one severe or higher‑severity vulnerability.

By comparison, the same proportion is about 75% for JavaScript services, 64% for Python, 50% for .NET, with an overall average of 47% across all languages.

Java services are also far more likely to be actively exploited: 55% of organizations reported exploitation of Java vulnerabilities, versus an average of only 7% for other languages.

Datadog attributes this to the prevalence of widely used Java libraries that contain many known flaws, such as Tomcat, Spring Framework, Apache Struts, Log4j and ActiveMQ.

Crucially, 63% of high‑severity Java vulnerabilities originate from indirect (transitive) dependencies—third‑party libraries bundled with the application that are often introduced unknowingly—making them harder to detect.

This highlights the need for developers to scan the complete dependency tree, not just direct dependencies.

The report’s second major finding is that the majority of attack attempts are generated by automated security scanners; however, only 0.0065% of those attempts actually trigger a vulnerability, meaning most are harmless noise.

Given the prevalence of such low‑impact alerts, Datadog emphasizes the importance of a robust system for prioritizing alerts.

Last year’s CVE project identified over 4,000 high‑severity and more than 1,000 critical vulnerabilities, yet research published in the 2020 Cybersecurity Journal showed that only about 5% of vulnerabilities are ever exploited by real attackers.

Organizations that focus on remediating critical vulnerabilities see significant results: 63% of those that once held critical CVEs no longer have any, and 30% halve the number of critical issues.

Datadog recommends prioritizing vulnerabilities based on three criteria: whether the affected service is publicly exposed, whether the vulnerability exists in production, and whether there is publicly exploitable code.

Other notable observations include that lightweight container images can reduce vulnerability exposure, infrastructure‑as‑code adoption is high, manual cloud deployments remain widespread, and the use of short‑lived credentials in CI/CD pipelines is still relatively low.