The widespread use of third-party dependencies in software development has heightened concerns about security vulnerabilities, especially those introduced via transitive dependencies. Current vulnerability assessment tools often overestimate the attack surface by including bloated dependencies—unused components within dependency trees—leading to inflated risk evaluations. This paper investigates the role of bloated dependencies in vulnerability overestimation, focusing on Maven-based projects. Utilizing a dataset from Maven Central Dependency Graph, enriched with Weaver metrics, we identify patterns of dependency bloat and quantify its impact on risk assessments. Our findings demonstrate how excluding bloated dependencies from evaluations can provide a more accurate and actionable view of a project’s security risks. The study also discusses the limitations of existing tools, offering insights into refining vulnerability assessment methodologies for modern software ecosystems.