# List Vulnerable Packages **Description:** Retrieves a list of vulnerable packages, with options to filter the results based on various criteria such as package name, visibility, token role, and remediation status. {% hint style="warning" %} Note that because sometimes a new vulnerability comes out after a sealed version already exists, a newer sealed version is released. For example `ejs@2.7.4` had two vulnerabilities that were sealed in `ejs@2.7.4-sp1`. Another vulnerability was then discovered, which required the release of `ejs@2.7.4-sp2`. In that case, if `ejs@2.7.4-sp1` is being used by the tenant, since that package contains an open unpatched vulnerability, it will be returned by this endpoint. {% endhint %} **Path:** [https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable](https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable?limit=2) **Method:** GET **Authentication:** See detailed explanation [here](https://docs.sealsecurity.io/apis/..#authentication). #### Request Parameters This endpoint accepts the following optional query parameters to filter the results:

Parameter Name	Type	Description	Accepted Values
`package_name_contains`	string	Filter packages that have this string in their name.	Any string
`is_hidden`	boolean	Filter packages that are hidden (`true`) or visible (`false`).	`true`, `false`
`access_token_role`	string	Filter packages according to the token used to detect them.	`Production`, `Development`
`fix_availability`	string	Filter packages by their remediation state.	`sealed`, `pending_deploy`, `seal_available`, `fix_in_preparation`, `generate_fix`, `unfixable`

**Details for `fix_availability` values:** * `sealed`: The vulnerable package in this project was effectively remediated by using a safer sealed version. The sealed version was pulled at least once. * `pending_deploy`: The next time the vulnerable package is used in this project, it will be replaced with the safer sealed version by the CLI. * `seal_available`: The vulnerable package was detected in this project, and a safer sealed version is available for use. However, currently the CLI isn't configured to replace the vulnerable package with the sealed version. * `fix_in_preparation`: The vulnerable package was detected in this project, and a sealed version is now under development. * `generate_fix`: The vulnerable package was detected in this project, a sealed version is currently unavailable, but you can request one. * `unfixable`: The vulnerable package was detected in this project. However, a sealed version is unavailable and cannot be generated due to technical reasons. #### Response The API returns a paginated JSON array of objects, where each object represents a vulnerable package matching the applied filters. **Response Structure:** JSON ```json [ { "package_name": "string", "package_version": "string", "ecosystem": "string", "project_name": "string", "open_vulnerabilities_in_original_package": [ { "CVE": "string", "score": "float" } ], "fix_availability": "string", "replaced_by_sealed_version": "string", "open_vulnerabilities_in_sealed_version": [ { "CVE": "string", "score": "float" } ], "sealed_vulnerabilities_in_sealed_version": [ { "CVE": "string", "score": "float" } ], "last_seen": "string", "access_token_role": "string", "is_hidden": "boolean" } ] ``` **Response Fields:**

Field Name	Type	Description
`package_name`	string	The name of the package.
`package_version`	string	The version of the package.
`ecosystem`	string	The ecosystem (e.g., `npm`, `PyPI`, `Maven`) of the package.
`project_name`	string	The name of the project where the package was detected.
`open_vulnerabilities_in_original_package`	array of vulnerability objects	A list of vulnerabilities that are open in the original vulnerable package.
`CVE`	string	Vulnerability identifier (e.g., `CVE-2023-1234`).
`score`	float	Vulnerability risk score.
`fix_availability`	string	The remediation state of the vulnerable package. See accepted values in the Request Parameters section for detailed descriptions.
`replaced_by_sealed_version`	string	The version of the sealed package that is currently being used as a replacement (if `fix_availability` is `sealed`, `null` otherwise).
`open_vulnerabilities_in_sealed_version`	array of `vulnerability` objects	A list of vulnerabilities that are still open in the sealed version currently being used (a safer sealed version might be available).
`sealed_vulnerabilities_in_sealed_version`	array of `vulnerability` objects	A list of vulnerabilities that were patched (sealed) in the sealed version currently being used.
`last_seen`	string	The date and time (ISO 8601 format) when the vulnerable package was last detected.
`access_token_role`	string	The type of token (`Production` or `Development`) used to detect the vulnerable package.
`is_hidden`	boolean	Indicates whether the vulnerable package is hidden (`true`) or visible (`false`).

The vulnerability object is composed of two fields:

Field Name Type Description

Field Name	Type	Description
`CVE`	string	Vulnerability identifier (e.g., `CVE-2023-1234`). Note that if there is no public CVE identifier, then a GHSA identifier. If there's neither, then a Snyk ID.
`score`	float	Vulnerability risk score. Can be `null`, in which case the vulnerability is rated as Low severity.

CVE

string

Vulnerability identifier (e.g., CVE-2023-1234).

Note that if there is no public CVE identifier, then a GHSA identifier. If there's neither, then a Snyk ID.

score float Vulnerability risk score. Can be null, in which case the vulnerability is rated as Low severity.

#### Example Requests and Responses **1. Get all vulnerable packages:** **Request (cURL):** Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` **Example Response (Truncated):** JSON ```json [ { "package_name": "lodash", "package_version": "4.17.21", "ecosystem": "npm", "project_name": "MyWebApp", "open_vulnerabilities_in_original_package": [ { "CVE": "CVE-2021-23336", "score": 7.5 } ], "fix_availability": "seal_available", "replaced_by_sealed_version": null, "open_vulnerabilities_in_sealed_version": [], "sealed_vulnerabilities_in_sealed_version": [], "last_seen": "2025-05-10T14:30:00Z", "access_token_role": "Production", "is_hidden": false }, { "package_name": "spring-core", "package_version": "5.3.2", "ecosystem": "maven", "project_name": "InternalService", "open_vulnerabilities_in_original_package": [ { "CVE": "CVE-2022-22965", "score": 9.8 } ], "fix_availability": "unfixable", "replaced_by_sealed_version": null, "open_vulnerabilities_in_sealed_version": [], "sealed_vulnerabilities_in_sealed_version": [], "last_seen": "2025-05-09T10:00:00Z", "access_token_role": "Development", "is_hidden": false } ] ``` **2. Filter packages by name and fix availability:** **Request (cURL):** Bash ```bash curl -X GET \ 'https://external.sealsecurity.io/authenticated/api/v1/packages/vulnerable?package_name_contains=spring&fix_availability=sealed' \ -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' ``` **Example Response:** JSON ```json [ { "package_name": "spring-webflux", "package_version": "5.3.2", "ecosystem": "maven", "project_name": "UserFacingApp", "open_vulnerabilities_in_original_package": [ { "CVE": "CVE-2021-22096", "score": 7.0 } ], "fix_availability": "sealed", "replaced_by_sealed_version": "spring-webflux-sealed-5.3.2-1", "open_vulnerabilities_in_sealed_version": [], "sealed_vulnerabilities_in_sealed_version": [ { "CVE": "CVE-2021-22096", "score": 7.0 } ], "last_seen": "2025-05-08T11:45:00Z", "access_token_role": "Production", "is_hidden": false } ] ```