The DevOps ecosystem experienced a significant surge in security threats throughout 2025, with newly published research from GitProtect.io revealing a sharp rise in both the number and severity of vulnerabilities across leading platforms. The company’s DevOps Threats Unwrapped Report paints a concerning picture for enterprises increasingly reliant on tools like GitHub, GitLab, Azure DevOps, and Atlassian’s Jira and Bitbucket.
According to the findings, a total of 236 vulnerabilities were identified and patched during the year. What stands out most, however, is not just the volume, but the severity of these threats 59% were categorized as high or critical. These vulnerabilities are not merely theoretical risks; they represent real-world attack vectors capable of enabling unauthorized access, privilege escalation, data leaks, and even partial system compromise.
The report highlights a clear acceleration in the threat landscape over the course of the year. While the first half of 2025 saw 97 vulnerabilities, this number rose sharply to 139 in the second half, representing a 30% increase. Quarterly analysis further underscores this upward trajectory: vulnerabilities climbed steadily from 45 in Q1 to 52 in Q2, then to 60 in Q3, before peaking at 79 in Q4. The final quarter alone accounted for 34% of the annual total marking it as the most active and riskiest period.
“The tools used to build and manage the world’s software are evolving rapidly, but so are the threats targeting them making proactive security and faster response more critical than ever.”
Even more alarming is the spike in critical vulnerabilities. These rose from just four in the first half of the year to ten in the second half a 76% increase when comparing Q1 to Q4. High-severity vulnerabilities followed a similar pattern, increasing by 55% in the latter half. November emerged as the single most volatile month, with 36 vulnerabilities identified nearly 15% of the yearly total.
Breaking down the data further, the report lists 14 critical vulnerabilities, 126 high-severity, 75 medium, and 21 low-severity issues across platforms. These figures emphasize that the bulk of vulnerabilities pose substantial risk, demanding immediate attention from both platform providers and enterprise users.
Major DevOps platforms were not immune. GitLab reported the highest number of vulnerabilities at 129, though this marked a slight decrease from the previous year. GitHub identified 18 vulnerabilities, including several critical flaws in its cloud service. One particularly severe case involved a vulnerability in GitHub Actions that carried the maximum CVSS score of 10.0, allowing arbitrary code execution.
Microsoft Azure DevOps reported fewer vulnerabilities but included critical issues such as one allowing authentication bypass and unauthorized manipulation of data, leading to potential privilege escalation. Atlassian’s ecosystem presented perhaps the most concerning trend: all 87 vulnerabilities reported across Jira and Bitbucket were classified as either high or critical severity. Two of these achieved the highest possible severity score, highlighting the scale of risk within widely used enterprise collaboration and code management platforms.
The report places these findings within the broader context of a rapidly expanding DevOps ecosystem. With GitHub alone supporting over 180 million developers and hundreds of millions of repositories, these platforms form the backbone of modern software development. As such, vulnerabilities within them have far-reaching implications, potentially impacting millions of users and vast amounts of proprietary code.
A key takeaway from the analysis is that securing the software supply chain has become increasingly complex. As DevOps environments grow more interconnected spanning cloud services, third-party integrations, and distributed teams the attack surface continues to expand. This complexity makes it harder for organizations to detect vulnerabilities early and respond effectively.
While platform providers are actively patching vulnerabilities and improving security measures, the report emphasizes that responsibility does not end there. Under the shared responsibility model, enterprises must take proactive steps to protect their own data and workflows. This includes maintaining independent backups of repositories and metadata, implementing robust access controls, and continuously monitoring for potential threats.
Ultimately, the findings from GitProtect.io highlight a critical shift in cybersecurity priorities. DevOps is no longer just a productivity enabler it is a central pillar of enterprise risk management. As vulnerabilities grow in both volume and severity, organizations must adopt a more proactive, resilient approach to security.
In an era where software drives business, ensuring the integrity of development pipelines is not optional it is foundational to operational stability and long-term success.