This study addresses the lack of systematic validation regarding the cross-version transferability of exploit code for open-source Java library vulnerabilities, which often leads to inaccurate assessments of vulnerability impact scope. The authors construct a large-scale dataset comprising 259 exploits, 128 Java libraries, and 28,150 historical versions, enabling the first large-scale empirical analysis of exploit effectiveness across versions. They propose ten migration strategies to enhance exploit adaptability. Through exploit execution testing, version backtracking, manual annotation, and compatibility analysis, the original exploit code achieves a recall of 83.0% and precision of 99.3% in identifying affected versions. After applying the proposed migration techniques, recall improves to 96.1%, and the study contributes 796 previously missing affected versions to the CPE dictionary.

Open-source software supply chain security relies heavily on assessing affected versions of library vulnerabilities. While prior studies have leveraged exploits for verifying vulnerability affected versions, they point out a key limitation that exploits are version-specific and cannot be directly applied across library versions. Despite being widely acknowledged, this limitation has not been systematically validated at scale, leaving the actual applicability of exploits across versions unexplored. To fill this gap, we conduct the first large-scale empirical study on exploit applicability across library versions. We construct a comprehensive dataset consisting of 259 exploits spanning 128 Java libraries and 28,150 historical versions, covering 61 CWEs that account for 76.33% of vulnerabilities in Maven. Leveraging this dataset, we execute each exploit against the library version history and compare the execution outcomes with our manually annotated ground-truth affected versions. We further investigate the root causes of inconsistencies between exploit execution and ground truth, and explore strategies for exploit migration. Our results (RQ1) show that, even without migration, exploits achieve 83.0% recall and 99.3% precision in identifying affected versions in Java, outperforming most widely used vulnerability databases and assessment tools. Notably, this capability enables us to contribute 796 confirmed missing affected versions to the CPE dictionary. We investigate the remaining exploit failures (RQ2) and find that they mainly stem from compatibility issues introduced by library evolution and changing environmental constraints. Based on these observations, we manually migrate exploits for 1,885 versions and distill a taxonomy of 10 strategies from these successful adaptation cases (RQ3), thereby increasing the overall recall to 96.1%.