This study investigates the lifecycle evolution of CVE vulnerabilities in Maven’s direct and transitive dependencies, focusing on vulnerability propagation across parent/dependent packages and maintainer response mechanisms. Method: Leveraging full lifecycle data from 3,362 CVEs, we integrate dependency graphs, GitHub repository temporal metrics (e.g., issue activity, contributor attrition rate), and multi-source ecosystem data from OSV.dev and OpenDigger. Contribution/Results: We首次 identify the “release-before-fix” phenomenon: high-severity vulnerabilities exhibit significantly faster average maintainer response (78 days) than low-severity ones—48.3% quicker. Contributor attrition rate and issue activity are empirically validated as strong predictors of CVE persistence. We propose a reusable Maven vulnerability risk assessment framework that quantifies maintainer response cycles across CVSS severity levels (78–151 days), providing empirical evidence and methodological support for dependency supply-chain security governance.

Software ecosystems rely on centralized package registries, such as Maven, to enable code reuse and collaboration. However, the interconnected nature of these ecosystems amplifies the risks posed by security vulnerabilities in direct and transitive dependencies. While numerous studies have examined vulnerabilities in Maven and other ecosystems, there remains a gap in understanding the behavior of vulnerabilities across parent and dependent packages, and the response times of maintainers in addressing vulnerabilities. This study analyzes the lifecycle of 3,362 CVEs in Maven to uncover patterns in vulnerability mitigation and identify factors influencing at-risk packages. We conducted a comprehensive study integrating temporal analyses of CVE lifecycles, correlation analyses of GitHub repository metrics, and assessments of library maintainers' response times to patch vulnerabilities, utilizing a package dependency graph for Maven. A key finding reveals a trend in"Publish-Before-Patch"scenarios: maintainers prioritize patching severe vulnerabilities more quickly after public disclosure, reducing response time by 48.3% from low (151 days) to critical severity (78 days). Additionally, project characteristics, such as contributor absence factor and issue activity, strongly correlate with the presence of CVEs. Leveraging tools such as the Goblin Ecosystem, OSV.dev, and OpenDigger, our findings provide insights into the practices and challenges of managing security risks in Maven.