A 4 KB JavaScript library that parses and scores CVSS vectors with no network calls, no build step, and no third-party API. Use it in CI or drop a web component into any page.
Every vuln management tool eventually needs to score a CVSS vector. Most of them either call out to NVD's API (slow, rate-limited, requires network egress from your scanner) or pull in a fat dependency that drags an old crypto library along for the ride.
I built @hailbytes/cvss-calc because I wanted to score vectors inside a CI runner that didn't have internet access. It's a single, zero-dependency package that handles both CVSS v3.1 and v4.0.
Score a vector in two lines
import { calculate } from '@hailbytes/cvss-calc';
const result = calculate('CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H');
// { score: 9.8, severity: 'Critical', version: '3.1', vector: '...' }
v4.0 works the same way — the library parses the version from the vector string and dispatches to the right scorer. No flag, no branching at the call site:
const v4 = calculate('CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N');
// { score: 10.0, severity: 'Critical', version: '4.0', vector: '...' }
Or drop it into any page as a web component
<script type="module" src="https://cdn.jsdelivr.net/npm/@hailbytes/cvss-calc/dist/element.js"></script>
<hailbytes-cvss-calc vector="CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"></hailbytes-cvss-calc>
The component renders a full interactive calculator. Listen for cvss-calculated events to read the score from JS.
Where I'm using it
- A pre-deploy CI gate that fails the build if any new CVE in the SBOM scores ≥ 7.0
- A ticketing integration that auto-prioritizes Jira issues by severity
- A static status page where each disclosed CVE renders a live, interactive calculator
Scoring follows the official FIRST CVSS v3.1 and v4.0 specs.
npm install @hailbytes/cvss-calc
Source and docs: github.com/hailbytes/cvss-calc — MIT licensed.
Top comments (0)