The invention discloses a vulnerability detection method, device and system for open source software, and the method comprises the steps: analyzing a data dependence relation and a control dependencerelation of all key nodes in a to-be-detected open source software source code, and forming a control flow graph based on the data dependence relation and the control dependence relation; traversing the control flow graph to generate an intermediate representation, wherein the intermediate representation comprises statements having a data dependency relationship and a control dependency relationship with each key node; and processing the intermediate representation into a plurality of fixed-dimension vectors, marking different labels according to whether the fixed-dimension vectors contain vulnerabilities or not, and training a vulnerability detection model by taking the fixed-dimension vectors as input to complete vulnerability detection of the open source software. The method in the source code of the open source software is abstracted into the intermediate representation containing the data dependency relationship and the control dependency relationship by applying static analysis,then the intermediate representation is mapped into the vector and labeled, and finally the vulnerability detection model is trained, so that the vulnerability detection accuracy and recall rate can be greatly improved.