Welcome to the JFrog Blog

Latest:

A Heartfelt Thank You to Jessica Neal

March 28, 2025 Shlomi Ben Haim, CEO, JFrog

2 min read

As we turn the page on another chapter at JFrog, we say goodbye to an incredible member of our Board of Directors, Jessica Neal. Over the past five years, Jessica has been a guiding light for our organization, bringing HR insight, innovation, and the true heart of a Frog. During her time with us, Jessica…

Read More

All Blogs

CVE-2025-29927 – Authorization Bypass Vulnerability in Next.js: All You Need to Know

CVE-2025-29927 – Authorization Bypass Vulnerability in Next.js: All You Need to Know

March 24, 2025 Yoav Saporta, JFrog Security Researcher Yair Mizrahi, JFrog Security Research Team Lead | 10 min read

On March 21st, 2025, the Next.js maintainers announced a new authorization bypass vulnerability - CVE-2025-29927. This vulnerability can be easily exploited to achieve authorization bypass. In some cases - exploitation of the vulnerability can also lead to cache poisoning and denial of service. Which versions of Next.js are affected? Next.js 15.x - from version 15.0.0…
Read More
Conan Launches C/C++ Audit Functionality

Conan Launches C/C++ Audit Functionality

March 19, 2025 Diego Rodriguez-Losada Gonzalez, JFrog Lead Architect | 6 min read

Overview Conan is a leading software package manager for C/C++ development environments. As an open source multi-platform package manager, it is used to create, manage and share native binaries and their dependencies based on C/C++ code. C/C++ is often the preferred language for developing embedded systems, mobile platforms, and real-time applications due to its low-level…
Read More
Is TensorFlow Keras “Safe Mode” Actually Safe? Bypassing safe_mode Mitigation to Achieve Arbitrary Code Execution

Is TensorFlow Keras “Safe Mode” Actually Safe? Bypassing safe_mode Mitigation to Achieve Arbitrary Code Execution

March 12, 2025 Andrey Polkovnichenko, JFrog Security Researcher | 9 min read

Update: This issue was discovered and disclosed independently to Keras by JFrog's research team and Peng Zhou. Machine learning frameworks often rely on serialization and deserialization mechanisms to store and load models. However, improper code isolation and executable components in the models can lead to severe security risks. The structure of the Keras v3 ML Model…
Read More
FINMA Compliance: DevSecOps Strategies for Securing the Swiss Financial Ecosystem

FINMA Compliance: DevSecOps Strategies for Securing the Swiss Financial Ecosystem

February 24, 2025 Danny Parizada, JFrog Senior Solution Engineer | 6 min read

The Swiss Financial Market Supervisory Authority (FINMA) sets strict requirements to ensure that financial institutions operating in Switzerland maintain robust security and operational resilience. FINMA’s guidelines are crucial for protecting sensitive financial data, minimizing risks, and maintaining trust in the Swiss financial ecosystem. As part of that, software supply chain security plays an essential role…
Read More
JFrog Simplifies Compliance with India’s new CERT SBOM Guidelines

JFrog Simplifies Compliance with India’s new CERT SBOM Guidelines

February 12, 2025 Yashaswi Mudumbai, JFrog Senior Director of Solution Engineering Harel Avissar, JFrog Director of Product | 8 min read

Overview The Indian Computer Emergency Response Team (CERT-In) is the national agency responsible for addressing cybersecurity incidents in India. Established in 2004 and operating under the Ministry of Electronics and Information Technology (MeitY), CERT-In is dedicated to enhancing the security of India's digital infrastructure. The organization plays a vital role in preventing, detecting, and responding…
Read More
Everything You Need to Know About Evil Proxy Attacks and MFA Bypass

Everything You Need to Know About Evil Proxy Attacks and MFA Bypass

November 26, 2024 Yarin Zaddik, JFrog IR SecOps Engineer Orel Bitan, JFrog IR & SecOps Group Leader | 9 min read

Attackers use a malicious proxy server to intercept, monitor, and manipulate communication between a client and a legitimate server, often to steal credentials, session tokens, or other sensitive information. Some services provide "Phishing-as-a-Service" (PhaaS), offering attackers ready-made tools and infrastructure to conduct phishing campaigns. These services simplify the process of deceiving individuals into providing sensitive…
Read More
JFrog Achieves ISO/IEC 27001:2022

JFrog Achieves ISO/IEC 27001:2022

February 10, 2025 Tamar Ashtar, JFrog GRC Specialist | 3 min read

As part of JFrog's mission to continuously develop and uphold the highest industry standards in cyber security, we are excited to announce that we have successfully upgraded our ISO certification to the latest version, ISO/IEC 27001:2022. This achievement reinforces our dedication to protecting your data with the high standards of cyber and information security. Understanding…
Read More
NIS2 Compliance in 2025: Compliance Doesn’t Have to Mean Complexity

NIS2 Compliance in 2025: Compliance Doesn’t Have to Mean Complexity

February 6, 2025 Danny Parizada, JFrog Senior Solution Engineer | 5 min read

The Network and Information Systems Directive 2 (NIS2) is the European Union’s effort to fortify cybersecurity across critical industries and services. Building on the original NIS Directive, NIS2 has broadened its scope, introduced stricter requirements, and placed greater emphasis on supply chain security. Now that the October 2024 transposition deadline has passed, organizations must focus…
Read More
Top JFrog Security Research Discoveries of 2024

Top JFrog Security Research Discoveries of 2024

January 30, 2025 Ofri Ouzan, JFrog Security Research Batel Zohar, JFrog Developer Advocate | 7 min read

In our previous round-up of security research for 2023,  we mentioned our surprise at the large volume of 29,000 vulnerabilities that were reported two years ago.  But that didn’t prepare us for the astounding 40% increase, reported by Cyber Press, resulting in over 40,000 CVEs that were published over the past year in 2024. That…
Read More
CVE-2024-6197 Curl and Libcurl: Use-after-Free on the Stack

CVE-2024-6197 Curl and Libcurl: Use-after-Free on the Stack

December 18, 2024 Ben Gross, Security Researcher Yair Mizrahi, JFrog Security Research Team Leader | 12 min read

On July 24th 2024, Curl maintainers announced a new stack buffer Use After Free (UAF) vulnerability - CVE-2024-6197. This type of vulnerability is very uncommon since UAF issues usually occur on the heap and not on the stack. While the vulnerability can be easily exploited for causing denial of service, in this blog we will…
Read More

Popular Tags