Welcome to the JFrog Blog

Latest:

Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk

November 4, 2025 Or Peles, JFrog Senior Security Researcher

12 min read

The JFrog Security Research team recently discovered and disclosed CVE-2025-11953 - a critical (CVSS 9.8) security vulnerability affecting the extremely popular @react-native-community/cli NPM package that has approximately 2M weekly downloads. The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli’s development server, posing a significant risk to…

Read More

All Blogs

JFrog & GitHub: Unifying the Software Supply Chain, One Step at a Time… and Our 2025 GitHub Technology Partner Award

JFrog & GitHub: Unifying the Software Supply Chain, One Step at a Time… and Our 2025 GitHub Technology Partner Award

October 28, 2025 Paul Garden, JFrog Partner and Industry Solutions | 6 min read

Organizations increasingly demand platforms that not only accelerate software delivery but also provide trust, security, and traceability. At JFrog, the software supply chain is managed and secured by default, from commit to runtime. That’s why our deep integration with GitHub is central to how we help teams manage, monitor, and secure every step of software…
Read More
CVE-2025-6515 Prompt Hijacking Attack – How Session Hijacking Affects MCP Ecosystems

CVE-2025-6515 Prompt Hijacking Attack – How Session Hijacking Affects MCP Ecosystems

October 21, 2025 Ori Hollander, JFrog Security Researcher Ofri Ouzan, JFrog Security Researcher | 10 min read

JFrog Security Research recently discovered and disclosed multiple CVEs in oatpp-mcp - the Oat++ framework’s implementation of Anthropic’s Model Context Protocol (MCP) standard. Among these, CVE-2025-6515 stood out due to its potential threat of hijacking MCP session IDs. Within the context of MCP we’ve dubbed this new attack technique "Prompt Hijacking". Your browser does not…
Read More
JFrog AppTrust: A Technical Deep Dive into Building a Trusted Software Supply Chain

JFrog AppTrust: A Technical Deep Dive into Building a Trusted Software Supply Chain

October 16, 2025 Jacqueline Basil, JFrog Product Marketing Manager, Security | 7 min read

Software supply chains have grown more complex as software delivery accelerates across more teams, technologies and environments. While the pace of releases continues to increase, the ability to manage these releases has not accelerated correspondingly. Developers and development operations are now firmly in the spotlight, as new regulations demand clear, auditable proof that every stage…
Read More
Don’t Guess What to Scan: Runtime Scope Ensures Full Production Coverage

Don’t Guess What to Scan: Runtime Scope Ensures Full Production Coverage

October 15, 2025 Ariel Antoni, JFrog Senior Product Manager | 5 min read

Are you confident that you’re scanning for security vulnerabilities on all your software running in production? If this question makes you uncomfortable don’t worry. First, you’re not alone. Second - keep reading. Almost all security teams today face a massive challenge: they’re drowning in data but lack direction. They have an overwhelming amount of code…
Read More
Shifting Security ‘Lefter’ Than Left Is The Key To Avoiding Risky Packages

Shifting Security ‘Lefter’ Than Left Is The Key To Avoiding Risky Packages

September 19, 2025 Asaf Karas, JFrog CTO & SVP Security | 4 min read

As the AI revolution accelerates, developers are being inundated with a dazzling array of new software packages and game-changing tools such as GitHub CoPilot, Sourcegraph, Qodo, Cursor, Goose, and others that promise incredible advances in productivity and impact. The excitement over this is high and just keeps on growing. Cyberattackers share equally in this excitement;…
Read More
From Silos to Synergy: Unifying Your Security Tools for a Stronger More Resilient Software Supply Chain

From Silos to Synergy: Unifying Your Security Tools for a Stronger More Resilient Software Supply Chain

October 1, 2025 Paul Davis, Field CISO | 4 min read

In the race to secure today’s ever-expanding attack surface, many companies have made a  practice of using a mix of tools to monitor, assess, and remediate threats. This practice has resulted in a fragmented and chaotic landscape of security solutions across several teams, increasing complexity and forcing companies to have a reactive vs. proactive security…
Read More
Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover

Chaotic Deputy: Critical vulnerabilities in Chaos Mesh lead to Kubernetes cluster takeover

September 16, 2025 Natan Nehorai, JFrog Application Security Researcher | 11 min read

JFrog Security Research recently discovered and disclosed multiple CVEs in the highly popular Chaos engineering platform - Chaos-Mesh. The discovered CVEs, which we’ve named Chaotic Deputy are CVE-2025-59358, CVE-2025-59360, CVE-2025-59361 and CVE-2025-59359. The last three Chaotic Deputy CVEs are critical severity (CVSS 9.8) vulnerabilities which can be easily exploited by in-cluster attackers to run arbitrary…
Read More
The AI/ML Regulatory Landscape and How to Stay Ahead

The AI/ML Regulatory Landscape and How to Stay Ahead

September 11, 2025 Paul Davis, Field CISO | 5 min read

The entire world of technology is abuzz about AI/ML. It’s arguably the most disruptive technology to society since the smartphone. In fact, Gartner estimates that the number of companies using open-source AI directly will increase tenfold by 2027. While this rapid advance is fueling quantum leaps in innovation, it also ignites increasing scrutiny from regulatory…
Read More
Stop the Chaos: How to Centralize, Secure, and Control Developer Extensions

Stop the Chaos: How to Centralize, Secure, and Control Developer Extensions

September 10, 2025 Achinoam Katsoff-Sitton, JFrog Product Marketing Manager, DevOps | 4 min read

Picture this: A new developer joins your team, excited to start contributing. On day one, they spend hours installing and configuring their IDE, searching for the "right" extensions. Their setup ends up being completely different from everyone else's. Sound familiar? Worse yet, what if that "productivity-boosting" extension or new MCP server they just installed also…
Read More
swampUP 2025 Recap: The Quantum Shift in Software Delivery Requires a Unified Approach

swampUP 2025 Recap: The Quantum Shift in Software Delivery Requires a Unified Approach

September 17, 2025 The JFrog Team | 13 min read

And that’s a wrap! Held in beautiful Napa Valley, swampUP 2025, JFrog’s annual customer conference brought together developers, operations, security, compliance, and AI/ML leaders – all facing the same burning challenges posed by the AI-driven quantum shift in software delivery. In the keynotes, breakout sessions, and side-conversations over wine and coffee, a common theme was…
Read More

Popular Tags