JFrog Security Research
Cutting Edge Security Research to Protect the Modern Software Supply Chain
Our dedicated team of security engineers and researchers are committed to advancing software security through discovery, analysis, and exposure of new vulnerabilities and attack methods.
Our dedicated team of security engineers and researchers are committed to advancing software security through discovery, analysis, and exposure of new vulnerabilities and attack methods.
Latest from JFrog's Security Blog
Latest from JFrog's Security Blog
Latest vulnerabilities discovered by the team
Latest vulnerabilities discovered by the team
JFrog security researchers and engineers collaborate to create advanced vulnerability scanners, built on a deep understanding of attackers' techniques.
We use our automated scanners to help the community by continually identifying new vulnerabilities in publicly available software packages and disclosing them.
- Fedify WebFinger Infinite Loop and Blind SSRFmediumCVE-2025-23221CVE-2025-23221CVE-2025-23221mediumDiscovered ByNatan Nehorai●Published on 20 Jan, 2025●
- JFSA-2024-001063927Wget shorthand URLs SSRFmediumCVE-2024-10524CVE-2024-10524CVE-2024-10524mediumDiscovered ByGoni Golan●Published on 19 Nov, 2024●
- JFSA-2024-001039605Mage AI pipeline interaction request remote arbitrary file leakmediumCVE-2024-45190CVE-2024-45190CVE-2024-45190mediumDiscovered ByOri Hollander●Published on 23 Aug, 2024●
- JFSA-2024-001039604Mage AI git content request remote arbitrary file leakmediumCVE-2024-45189CVE-2024-45189CVE-2024-45189mediumDiscovered ByOri Hollander●Published on 23 Aug, 2024●
Latest malicious packages disclosed by the team
Latest malicious packages disclosed by the team
Given the widespread use of open-source software (OSS) packages in modern application development, public OSS repositories have become a popular target for supply chain attacks.
To help foster a secure environment for developers, the JFrog Security research team continuously monitors popular repositories with our automated tooling, and reports malicious packages discovered to repository maintainers and the wider community.
dex-api-librarynpmnpm•<1k total downloadsPublished on 28 Jan, 2025●Published on 28 Jan, 2025●- kvpair_db_upgradenpmnpm•<1k total downloadsPublished on 28 Jan, 2025●Published on 28 Jan, 2025●
- zkpay-plonky2-contractnpmnpm•<1k total downloadsPublished on 28 Jan, 2025●Published on 28 Jan, 2025●
- cosmwasmjs-demonpmnpm•<1k total downloadsPublished on 28 Jan, 2025●Published on 28 Jan, 2025●
- pistache-ionpmnpm•<1k total downloadsPublished on 28 Jan, 2025●Published on 28 Jan, 2025●
Latest security OSS tools released by the team
Latest security OSS tools released by the team
When new software security threats arise, in many cases the time to respond is of the essence.
The JFrog Security research team supports the community with a range of OSS tools to identify such threats in your software quickly.
- CVE-2024-3094-detectorChecks if the local machine is vulnerable to CVE-2024-3094 and currently affected by CVE-2024-3094Checks if the local machine is vulnerable to CVE-2024-3094 and currently affected by CVE-2024-3094Published on 31 Mar, 2024●Published on 31 Mar, 2024●
- openssl_req_client_certDetermines whether client authentication is required by the SSL server, in which case servers based on OpenSSL 3.0.0..3.0.6 will be vulnerable to CVE-2022-3602 & CVE-2022-3786Determines whether client authentication is required by the SSL server, in which case servers based on OpenSSL 3.0.0..3.0.6 will be vulnerable to CVE-2022-3602 & CVE-2022-3786Published on 2 Nov, 2022●Published on 2 Nov, 2022●
- scan_vulnerable_openssl_codeFinds binaries with a statically-linked version of OpenSSL. Specifically the tool diferentiates between OpenSSL 3.0.0-3.0.6 (vulnerable versions) and 3.0.7 (fixed version).Finds binaries with a statically-linked version of OpenSSL. Specifically the tool diferentiates between OpenSSL 3.0.0-3.0.6 (vulnerable versions) and 3.0.7 (fixed version).Published on 2 Nov, 2022●Published on 2 Nov, 2022●
- text_4_shell_patchLooks for the vulnerable ScriptStringLookup class in the commons-text jar given and disables the lookup() function, effectively patching the vulnerabilityThe tool can also patch (disable) the vulnerable DnsStringLookup and URLStringLookup funtionalitiesLooks for the vulnerable ScriptStringLookup class in the commons-text jar given and disables the lookup() function, effectively patching the vulnerabilityThe tool can also patch (disable) the vulnerable DnsStringLookup and URLStringLookup funtionalitiesPublished on 24 Oct, 2022●Published on 24 Oct, 2022●
- scan_commons_text_versionsRecursively searches for the class code of StringLookupFactory (regardless of containing .jar file names and content of pom.xml files), and attempts to fingerprint the versions of the objects to report whether the included version of commons-text is vulnerable.Recursively searches for the class code of StringLookupFactory (regardless of containing .jar file names and content of pom.xml files), and attempts to fingerprint the versions of the objects to report whether the included version of commons-text is vulnerable.Published on 18 Oct, 2022●Published on 18 Oct, 2022●
The JFrog Detection Edge
The JFrog Security research team is part of the group behind JFrog Xray, enhancing its unique vulnerability database and utilizing patented technology to quickly detect unknown security issues in both open source and proprietary code.
Learn more about Xray
Report Vulnerabilities Discovered in JFrog Products
Thesecurity and quality of our code is a top priority for JFrog. If you find a vulnerability or any other type of security issue in one of our products, please report it to us immediately. Security researchers may be able to participate in a bug bounty program and earn rewards for their findings.
