Back
Uriya Yavnieli

Uriya Yavnieli

JFrog Security Researcher

Uriya is a Security Researcher at JFrog’s vulnerability research team, where he specializes in low-level research and vulnerability discovery automations. Before joining Vdoo and JFrog, Uriya was a Security Researcher at Cyberbit, bringing experience from previous roles in R&D in the tech unit of the Israeli Defense Force.

The Latest From Uriya Yavnieli

  • Machine Learning Bug Bonanza – Exploiting ML Clients and “Safe” Model Formats
    | 15 min read

    In our previous blog post in this series we showed how the immaturity of the Machine Learning (ML) field allowed our team to discover and disclose 22 unique software vulnerabilities in ML-related projects, and we analyzed some of these vulnerabilities that allowed attackers to exploit various ML services. In this post, we will again dive…

    Read More  

  • Machine Learning Bug Bonanza – Exploiting ML Services
    | 18 min read

    JFrog’s security research team continuously monitors open-source software registries, proactively identifying and addressing potential malware and vulnerability threats to foster a secure and reliable ecosystem for open-source software development and deployment. In our previous research on MLOps we noted the immaturity of the Machine Learning (ML) field often results in a higher amount of discovered…

    Read More  

  • From MLOps to MLOops: Exposing the Attack Surface of Machine Learning Platforms
    | 26 min read

    NOTE: This research was recently presented at Black Hat USA 2024, under the title “From MLOps to MLOops - Exposing the Attack Surface of Machine Learning Platforms”. The JFrog Security Research team recently dedicated its efforts to exploring the various attacks that could be mounted on open source machine learning (MLOps) platforms used inside organizational…

    Read More  

  • Arbitrary File Creation vulnerability in plexus-archiver – CVE-2023-37460
    | 7 min read

    The JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered a new security vulnerability in plexus-archiver, an archive creation and extraction package. plexus-archiver is used in…

    Read More  

  • CVE-2021-38297 – Analysis of a Go Web Assembly vulnerability
    | 9 min read

    The JFrog Security Research team continuously monitors reported vulnerabilities in open-source software (OSS) to help our customers and the wider community be aware of potential software supply chain security threats and their impact. In doing so, we often notice important trends and key learnings worth highlighting. The following analysis of a vulnerability discovered in the…

    Read More  

  • SATisfying our way into remote code execution in the OPC UA industrial stack
    | 18 min read

    The JFrog Security team recently competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. One of our research targets for the competition was the Unified Automation C++-based OPC UA Server SDK. Other than the vulnerabilities we disclosed as part of the pwn2own competition, we managed to find and…

    Read More  

  • Crashing Industrial Control Systems at Pwn2Own Miami 2022
    | 13 min read

    Earlier this year, the JFrog Security research team competed in the Pwn2Own Miami 2022 hacking competition which focuses on Industrial Control Systems (ICS) security. We were proud to take part in this competition and join other researchers in the effort to make mission-critical industrial environments safe and secure. During the Pwn2Own Miami competition we competed…

    Read More  

  • CVE-2022-25845 – Analyzing the Fastjson “Auto Type Bypass” RCE vulnerability
    | 11 min read

    A few weeks ago, a new version for Fastjson was released (1.2.83) which contains a fix for a security vulnerability that allegedly allows an attacker to execute code on a remote machine. According to several publications, this vulnerability allows an attacker to bypass the “AutoTypeCheck” mechanism in Fastjson and achieve remote code execution. This Fastjson…

    Read More  

  • 7 RCE and DoS vulnerabilities Found in ClickHouse DBMS
    | 10 min read

    The JFrog Security research team constantly monitors open-source projects to find new vulnerabilities or malicious packages and share them with the wider community to help improve their overall security posture. As part of this effort, the team recently discovered seven new security vulnerabilities in ClickHouse, a widely used open-source Database Management System (DBMS) dedicated to…

    Read More  

  • JFrog Discloses 5 Memory Corruption Vulnerabilities in PJSIP – A Popular Multimedia Library
    | 6 min read

    Update 03/03/22 - Added clarification about vulnerable applications JFrog’s Security Research team is constantly looking for new and previously unknown security vulnerabilities in popular open-source projects to help improve their security posture. As part of this effort, we recently discovered 5 security vulnerabilities in PJSIP, a widely used open-source multimedia communication library developed by Teluu. By…

    Read More