How-To: Search for Impacted Resources

Search artifacts by CVE or component
AuthorFullName__c
JFrog Support
articleNumber
000006701
FirstPublishedDate
2025-12-05T12:21:36Z
lastModifiedDate
2025-12-05
(New SBOM Mode)
This guide explains how to use the JFrog Xray Impacted Resources Search API to identify artifacts affected by CVE-2025-55182 and CVE-2025-66478.
This method uses the specific GET endpoint with URL parameters for a simplified, lightweight search.
  • API Endpoint: [JFrog_URL]/xray/api/v2/search/impactedResources
  • Method: GET

1. Find Impacted Resources by CVE ID
Use this command to find all artifacts (Docker images, npm packages, etc.) that contain components affected by a specific CVE.
URL parameters syntax:: vulnerability=[CVE_ID]

Command:
curl -u "<USER>:<TOKEN>"  https://<JFrog_URL>/xray/api/v2/search/impactedResources\?vulnerability=CVE-2025-55182\&limit=10
Expected Output:
A JSON list of resources (e.g., specific Docker tags or builds) that are vulnerable to CVE-2025-55182.
The latest React2Shell vulnerability has the following related CVEs:
CVE-2025-55182
CVE-2025-66478
{
  "result": [
    {
      "type": "Artifact",
      "name": "plugin-rsc-0.4.32.tgz",
      "path": "/@vitejs/plugin-rsc/-/",
      "repo": "npmjs-cache",
      "artifact_name": "plugin-rsc-0.4.32.tgz",
      "artifact_pkg_version": {
        "type": "npm",
        "name": "@vitejs/plugin-rsc",
        "namespace": "public",
        "version": "0.4.32",
        "ecosystem": "generic"
      },
      "scan_date": "2025-09-30T16:10:05.451215Z",
      "impacted_pkg_version": {
        "type": "npm",
        "name": "react-server-dom-webpack",
        "namespace": "public",
        "version": "19.1.1",
        "ecosystem": "generic"
      }
    }
  ],
  "last_key": "Gg..4="
}

2. Find Impacted Resources by Component Name
Use this command to find all artifacts that contain a specific component, regardless of whether it has a known vulnerability. This is useful for investigating the blast radius of a specific library.
URL parameters syntax: type=[PACKAGE_TYPE]&name=[COMPONENT_NAME]

Command:
curl -u "<USER>:<TOKEN>" \
"https://<JFrog_URL>/xray/api/v2/search/impactedResources?type=npm\&name=react-server-dom-webpack\&limit=10"
Expected Output:

A JSON list of artifacts containing the npm package react-server-dom-webpack (limited to 10 items, as specified in the CURL command).

The vulnerable packages for the React2Shell vulnerabilities are (all of them are of type npm):
react-server-dom-webpack
react-server-dom-turbopack
react-server-dom-parcel
next
 
{
  "result": [
    {
      "type": "Artifact",
      "name": "plugin-rsc-0.4.32.tgz",
      "path": "/@vitejs/plugin-rsc/-/",
      "repo": "npmjs-cache",
      "artifact_name": "plugin-rsc-0.4.32.tgz",
      "artifact_pkg_version": {
        "type": "npm",
        "name": "@vitejs/plugin-rsc",
        "namespace": "public",
        "version": "0.4.32",
        "ecosystem": "generic"
      },
      "scan_date": "2025-09-30T16:10:05.451215Z",
      "impacted_pkg_version": {
        "type": "npm",
        "name": "react-server-dom-webpack",
        "namespace": "public",
        "version": "19.1.1",
        "ecosystem": "generic"
      }
    }
  ],
  "last_key": "Gg..4="
}
 

Important Note
 
These simplified URL query parameters (vulnerability, type, name) are only supported on JFrog Xray systems that have been migrated to use the "new SBOM" feature.

Full documentation for this API is available at https://docs.jfrog.com/security/reference/search-resources-by-vulnerability-and-package