How-To: Search for Components by CVE

Search artifacts by CVE or component
AuthorFullName__c
JFrog Support
articleNumber
000006701
FirstPublishedDate
2025-12-05T12:21:36Z
lastModifiedDate
2025-12-05
(Old SBOM Mode)
This guide explains how to use the JFrog Xray Search Components by CVE API to identify components affected by CVE-2025-55182 and CVE-2025-66478.
This method uses a POST endpoint with a JSON body to search for components that are vulnerable to specific CVEs.
  • API Endpoint: [JFrog_URL]/xray/api/v1/component/searchByCves
  • Method: POST

Find Components by CVE ID
Use this command to find all components (npm packages, Docker images, etc.) that are affected by a specific CVE.

Request Body Format:
{
  "cves": ["CVE-2025-55182"]
}
Command:
curl -u "<USER>:<TOKEN>" \
-X POST \
-H "Content-Type: application/json" \
-d '{"cves": ["CVE-2025-55182"]}' \
https://<JFrog_URL>/xray/api/v1/component/searchByCves
Expected Output:
A JSON array of CVE search results, where each result contains the CVE ID and a list of affected components.
[
  {
    "cve_details": "CVE-2025-55182",
    "components": [
      {
        "name": "react-server-dom-webpack",
        "package_type": "npm",
        "version": "19.1.1",
        "link": "https://<JFrog_URL>/ui/packages/npm/react-server-dom-webpack/19.1.1"
      }
    ]
  }
]
Multiple CVEs:
You can search for multiple CVEs in a single request by including them in the cves array:
{
  "cves": ["CVE-2025-55182", "CVE-2025-66478"]
}

Important Note
 
This endpoint requires the REPORTS_MANAGER permission and returns components that are vulnerable to the specified CVEs in your Xray system.