OSS-Fuzz Fails To Detect Longstanding Vulnerabilities
A GitHub Security Lab researcher reports that OSS-Fuzz continues to miss critical vulnerabilities in mature open-source projects, citing discoveries across GStreamer (29 bugs found in December 2024), Poppler/DjVuLibre, and Exiv2 (new CVEs in 2025). The analysis attributes gaps to low fuzzer coverage, unfuzzed dependencies, and focus on decoders over encoders, and recommends human oversight plus an iterative five-step fuzzing workflow.
Key Points
- 1Finds 29 new vulnerabilities in GStreamer despite seven years of continuous OSS-Fuzz enrollment
- 2Explains low coverage, missing fuzzers, and unfuzzed dependencies like DjVuLibre reduce effectiveness
- 3Recommends human oversight and iterative five-step workflow to improve coverage and triage results
Scoring Rationale
Strong empirical findings and practical five-step workflow, but incremental security improvement rather than a paradigm-shifting advance.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
