Guide · 8 min read
Is my framework vulnerable? A practical guide for small teams
You read that "a critical 0-day" just dropped. Now you have to figure out — in the next ten minutes, between everything else you do — whether it actually touches anything you run. Here's how to answer that quickly, and how to never have to ask manually again.
The real problem isn't too few alerts — it's too many
The National Vulnerability Database publishes tens of thousands of CVEs a year. If you subscribe to a raw feed, you get a firehose: thousands of disclosures, of which maybe a handful matter to you. The signal is buried so deep that most small teams just stop reading. That's the dangerous part — not the 0-day itself, but the fatigue that makes you miss the one that matters.
Step 1: Know your exact stack (with versions)
You can't answer "am I vulnerable?" without an inventory. List every framework, library, CMS, database, web server and runtime you run — with version numbers. For app dependencies your package.json, requirements.txt, composer.json or Gemfile.lock is the source of truth. For infrastructure (nginx, Postgres, OpenSSL, Docker), check the installed versions on your servers.
Step 2: Match the disclosure to a version range — not a name
This is where most people go wrong. "There's a Next.js CVE" tells you nothing. What matters is the affected version range. A CVE that affects Next.js < 14.2.10is irrelevant if you're on 15.x. Always read the "known affected configurations" on the NVD entry and compare to your installed version. If your version is outside the affected range, you can stop worrying about that one.
Step 3: Find the fixed version and the upgrade path
If you are in range, the only question that matters is: what version fixes it, and how disruptive is the upgrade? Most advisories list a fixed version. For libraries that's usually a one-line bump (npm install next@14.2.10). For infrastructure it may mean a package update and a restart. Patch the highest-CVSS, internet-facing items first.
Step 4: Don't do this manually every time
Doing steps 1–3 by hand, for every disclosure, forever, doesn't scale — which is exactly why teams fall behind. The durable fix is to declare your stack once and let something watch the feeds for you, filtering by your exact dependency and version range, and only pinging you when something is genuinely in range.
That's exactly what ZeroWatch does
Declare your stack once. ZeroWatch watches NVD, GitHub advisories and 0-day chatter daily, maps each item to your version ranges, and sends a plain-English alert with the patch action only when something actually affects you. Free for one app.
Watch my stack freeQuick FAQ
How do I check if a specific library is vulnerable right now? Run your ecosystem's audit tool — npm audit, pip-audit, composer audit — for a point-in-time check. Those catch what's already published in their advisory databases, but they don't watch continuously or cover infrastructure components. Pair a periodic audit with a continuous watcher.
What about zero-days with no CVE yet? Those surface first in GitHub issues, mailing lists and security forums before a CVE is assigned. Monitoring those sources — not just NVD — is how you hear about them early.
Is a higher CVSS always more urgent for me? No. A 9.8 in a component you don't expose to the internet can be lower priority than a 7.5 on your public login. Context — exposure and reachability — matters as much as the raw score.