Welcome to the JFrog Blog

Latest:

Scaling Docker Usage with JFrog

May 2, 2025 Sean Pratt, Senior Manager, Product Marketing, JFrog

6 min read

Earlier this month the development industry was preparing for rate limit changes at Docker Hub. Ultimately, any rate limit changes were put on hold. Many JFrog customers have asked us, “How would Docker Hub rate limit changes impact us?” In this post we’ll discuss what you can do to ensure uninterrupted usage of Docker, now…

Read More

All Blogs

A Vulnerable Future: MITRE’s Close Call in CVE Management

A Vulnerable Future: MITRE’s Close Call in CVE Management

April 23, 2025 Ofri Ouzan, JFrog Security Researcher Jonathan Sar Shalom, JFrog Director of Threat Research | 16 min read

Last week, one of the biggest concerns in the cybersecurity industry created a crisis that was avoided at the last minute. On April 16th, 2025, the MITRE Corporation announced:  “The current contracting pathway for MITRE to develop, operate, and modernize CVE and several other related programs, such as CWE, will expire.” Official letter from MITRE…
Read More
Now Available: Smart Archiving with the JFrog Platform

Now Available: Smart Archiving with the JFrog Platform

April 23, 2025 Sean Pratt, Senior Manager, Product Marketing, JFrog | 5 min read

Every day development teams around the world release new software. But what happens to prior releases that are no longer in production? Most organizations save them, typically due to internal policies, external regulations, or simply the fear of losing data. Organizations typically take varied approaches to retaining their prior releases. Some use a dedicated repository…
Read More
Malicious PyPI Package Hijacks MEXC Orders, Steals Crypto Tokens

Malicious PyPI Package Hijacks MEXC Orders, Steals Crypto Tokens

April 15, 2025 Guy Korolevski, JFrog Security Researcher | 10 min read

The JFrog Security Research team regularly monitors open source software repositories using advanced automated tools, in order to detect malicious packages. In cases of potential supply chain security threats, our research team reports any malicious packages that were discovered to the repository’s maintainers in order to have them removed. This blog provides an analysis of…
Read More
CVE-2025-29927 – Authorization Bypass Vulnerability in Next.js: All You Need to Know

CVE-2025-29927 – Authorization Bypass Vulnerability in Next.js: All You Need to Know

March 24, 2025 Yoav Saporta, JFrog Security Researcher Yair Mizrahi, JFrog Security Research Team Leader | 10 min read

On March 21st, 2025, the Next.js maintainers announced a new authorization bypass vulnerability - CVE-2025-29927. This vulnerability can be easily exploited to achieve authorization bypass. In some cases - exploitation of the vulnerability can also lead to cache poisoning and denial of service. Which versions of Next.js are affected? Next.js 15.x - from version 15.0.0…
Read More
Conan Launches C/C++ Audit Functionality

Conan Launches C/C++ Audit Functionality

March 19, 2025 Diego Rodriguez-Losada Gonzalez, JFrog Lead Architect | 6 min read

Overview Conan is a leading software package manager for C/C++ development environments. As an open source multi-platform package manager, it is used to create, manage and share native binaries and their dependencies based on C/C++ code. C/C++ is often the preferred language for developing embedded systems, mobile platforms, and real-time applications due to its low-level…
Read More
Is TensorFlow Keras “Safe Mode” Actually Safe? Bypassing safe_mode Mitigation to Achieve Arbitrary Code Execution

Is TensorFlow Keras “Safe Mode” Actually Safe? Bypassing safe_mode Mitigation to Achieve Arbitrary Code Execution

March 12, 2025 Andrey Polkovnichenko, JFrog Security Researcher | 9 min read

Update: This issue was discovered and disclosed independently to Keras by JFrog's research team and Peng Zhou. Machine learning frameworks often rely on serialization and deserialization mechanisms to store and load models. However, improper code isolation and executable components in the models can lead to severe security risks. The structure of the Keras v3 ML Model…
Read More
FINMA Compliance: DevSecOps Strategies for Securing the Swiss Financial Ecosystem

FINMA Compliance: DevSecOps Strategies for Securing the Swiss Financial Ecosystem

February 24, 2025 Danny Parizada, JFrog Senior Solution Engineer | 6 min read

The Swiss Financial Market Supervisory Authority (FINMA) sets strict requirements to ensure that financial institutions operating in Switzerland maintain robust security and operational resilience. FINMA’s guidelines are crucial for protecting sensitive financial data, minimizing risks, and maintaining trust in the Swiss financial ecosystem. As part of that, software supply chain security plays an essential role…
Read More
JFrog Simplifies Compliance with India’s new CERT SBOM Guidelines

JFrog Simplifies Compliance with India’s new CERT SBOM Guidelines

February 12, 2025 Yashaswi Mudumbai, JFrog Senior Director of Solution Engineering Harel Avissar, JFrog Director of Product | 8 min read

Overview The Indian Computer Emergency Response Team (CERT-In) is the national agency responsible for addressing cybersecurity incidents in India. Established in 2004 and operating under the Ministry of Electronics and Information Technology (MeitY), CERT-In is dedicated to enhancing the security of India's digital infrastructure. The organization plays a vital role in preventing, detecting, and responding…
Read More
Everything You Need to Know About Evil Proxy Attacks and MFA Bypass

Everything You Need to Know About Evil Proxy Attacks and MFA Bypass

November 26, 2024 Yarin Zaddik, JFrog IR SecOps Engineer Orel Bitan, JFrog IR & SecOps Group Leader | 9 min read

Attackers use a malicious proxy server to intercept, monitor, and manipulate communication between a client and a legitimate server, often to steal credentials, session tokens, or other sensitive information. Some services provide "Phishing-as-a-Service" (PhaaS), offering attackers ready-made tools and infrastructure to conduct phishing campaigns. These services simplify the process of deceiving individuals into providing sensitive…
Read More

Popular Tags