EOL for Beginners

Runtime, framework, or library? —
why it changes what a CVE means for you.

Published 2026-07-08 · 10 min read · endoflife.ai Research

Two vulnerabilities can have identical severity scores and demand completely different responses — because one lives in your runtime and the other in a library four levels deep in your dependency tree. Where a flaw sits in the stack determines who can fix it, how you deploy the fix, how attackers find you, and what happens when that layer goes end-of-life. This guide walks the three layers that matter most, with the real incidents that defined each one.

(New to the terms themselves? Our beginner's guide defines every layer of the stack, and What is a CVE? covers how vulnerability IDs and scoring work. This article builds on both.)

The stack in sixty seconds

Your application code never runs alone. It sits on a runtime (the engine that executes it — Node.js, PHP, the JVM, Python), is usually structured by a framework (the skeleton that handles routing, requests, and data — Spring, Rails, Django, Angular), and pulls in dozens to thousands of libraries (borrowed building blocks — Lodash, Jackson, Log4j). A CVE can appear at any layer, and the layer is the first thing to check — before the score.

Runtime CVEs: the widest blast radius

A runtime flaw affects every application running on it, in every language feature and code path — you can't avoid it by not using a particular function, because the runtime executes everything. When OpenSSL (embedded in most runtimes' TLS handling) or Node.js itself patches a critical flaw, the exposure is universal across your fleet.

What makes runtime CVEs distinct

The multiplier
One EOL runtime silently converts every future runtime CVE into a permanent finding across every app it hosts. This is why runtime currency is the highest-leverage patch decision an organization makes — and why our risk scoring treats runtimes as a heavier attack surface than single libraries.

Framework CVEs: the architecture is the attack surface

Frameworks handle the hostile part of the job: parsing requests from strangers on the internet. So framework CVEs cluster in exactly the code that attackers can reach by simply sending traffic — request binding, file upload handling, template rendering, deserialization.

The two incidents that defined the category

Apache Struts, CVE-2017-5638. A flaw in how Struts parsed a single HTTP header allowed remote code execution. Equifax hadn't applied the two-month-old patch, and the result was the breach of 147 million people's records — still the canonical demonstration that a framework CVE plus a slow patch equals a company-defining event.

Spring4Shell, CVE-2022-22965. A request-binding flaw in Spring Framework — the JVM world's most ubiquitous framework — went from disclosure to mass scanning in days. Organizations that were on supported Spring lines patched with a version bump; those parked on EOL lines had to engineer emergency workarounds instead.

What makes framework CVEs distinct

Library CVEs: the invisible iceberg

Libraries are where the volume is: a typical application declares a few dozen dependencies and inherits hundreds to thousands transitively — dependencies of dependencies you never chose and mostly don't know you ship. Library CVEs therefore have a unique failure mode: you can be critically vulnerable through code you've never heard of.

Log4Shell (CVE-2021-44228) is the defining case. Log4j is a humble logging library, present in a staggering share of all Java software — usually transitively. When its flaw dropped, thousands of organizations spent their first days simply discovering whether and where they shipped it. The lesson wasn't "logging is dangerous"; it was that most organizations cannot answer "do we use library X?" within an hour.

What makes library CVEs distinct

The responsibility matrix

LayerWho ships the fixYour deploy actionIf the layer is EOL
RuntimeRuntime maintainers (Node, PHP, OpenJDK…)Platform upgrade; rebuild images; retest fleetEvery app on it exposed, permanently
FrameworkFramework project (Spring, Rails, Django…)Version bump if in support; migration project if notApp rewrite pressure; extended support market exists
LibraryLibrary maintainer (often a volunteer)Bump the dependency — once you find itSilent transitive exposure; fork or replace

How EOL changes each layer

Support status is the hidden variable in every row above. In support, a CVE is an event — patch ships, you apply it, done. Past end of life, a CVE is a condition — permanent until you migrate. But the flavor differs by layer: an EOL runtime poisons everything above it at once; an EOL framework holds your own application code hostage; an EOL library hides in trees you don't audit. And as we covered in the CVE guide, all three go quiet after EOL — fewer advisories, not fewer flaws — so dashboards look greenest exactly where risk is compounding fastest.

The practical playbook

Check where any layer of your stack stands right now with the EOL Checker — runtime, framework, or library, the support clock is public, and it's the one security signal that never goes quiet.

The Monthly EOL Digest™

Once a month — critical end-of-life dates, CVE blind spots, and lifecycle changes worth knowing about.

✓ You're on the list.