On March 21st, 2025, the Next.js maintainers announced a new authorization bypass vulnerability โ CVE-2025-29927. This vulnerability can be easily exploited to achieve authorization bypass. In some cases โ exploitation of the vulnerability can also lead to cache poisoning and denial of service. Which versions of Next.js are affected? Next.js 15.x โ from version 15.0.0 โฆ
Attackers use a malicious proxy server to intercept, monitor, and manipulate communication between a client and a legitimate server, often to steal credentials, session tokens, or other sensitive information. Some services provide โPhishing-as-a-Serviceโ (PhaaS), offering attackers ready-made tools and infrastructure to conduct phishing campaigns. These services simplify the process of deceiving individuals into providing sensitive โฆ
In our previous round-up of security research for 2023, we mentioned our surprise at the large volume of 29,000 vulnerabilities that were reported two years ago. But that didnโt prepare us for the astounding 40% increase, reported by Cyber Press, resulting in over 40,000 CVEs that were published over the past year in 2024. That โฆ
On July 24th 2024, Curl maintainers announced a new stack buffer Use After Free (UAF) vulnerability โ CVE-2024-6197. This type of vulnerability is very uncommon since UAF issues usually occur on the heap and not on the stack. While the vulnerability can be easily exploited for causing denial of service, in this blog we will โฆ
In our previous blog post in this series we showed how the immaturity of the Machine Learning (ML) field allowed our team to discover and disclose 22 unique software vulnerabilities in ML-related projects, and we analyzed some of these vulnerabilities that allowed attackers to exploit various ML services. In this post, we will again dive โฆ
While researching CVE-2024-38428 in GNUโs Wget, our team found a new 0-day vulnerability. The vulnerability, later assigned CVE-2024-10524, may lead to various types of attacks โ including phishing, SSRF, and MiTM. These attacks can have severe consequences such as resource restriction bypass and sensitive information exposure. Upon discovering this vulnerability, our team responsibly disclosed it โฆ
JFrogโs security research team continuously monitors open-source software registries, proactively identifying and addressing potential malware and vulnerability threats to foster a secure and reliable ecosystem for open-source software development and deployment. In our previous research on MLOps we noted the immaturity of the Machine Learning (ML) field often results in a higher amount of discovered โฆ
On Sunday, June 2nd 2024, a fix commit was pushed for a vulnerability in GNUโs popular Wget tool. Two weeks later, the vulnerability was assigned the ID CVE-2024-38428 and later was classified as a critical vulnerability โ with a CVSS score of 9.1. In this blog, we take a dive deep into this threat by โฆ
With over 29,000 CVEs and 5.5 billion malware attacks recorded in the past year, itโs no wonder that software supply chain security is a top priority for enterprise developers on a global scale. That is also why JFrog Security Research has been instrumental in identifying and analyzing the biggest threats and devising methods to protect โฆ
In December 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) identified exploits against vulnerable public-facing applications as the most common initial attack vector for cybercriminals, followed by attacks on external remote services such as VPNs. According to a study by CrowdStrike, exploit activity targeting cloud apps and assets grew 95% from 2021 to 2022, โฆ
