Research

Critical Security Advisory: Unauthenticated RCE in React & Next.js Ecosystem

This research post examines CVE-2025-55182 and CVE-2025-66478, two patched vulnerabilities in the React Server Components Flight protocol that could enable unauthenticated Remote Code Execution (RCE) in default Next.js, Waku, and RedwoodJS configurations. We break down how the Flight serialization process works, why traditional scanners struggled to detect these issues, which applications were actually exposed, and how teams can validate and prioritize updates without unnecessary alarm.

Ofek Haviv
December 3, 2025

How Terra’s AI Agents Uncovered a Critical SQL Injection Missed by Traditional Tools and Manual Testers

Aviv Vinograzki
September 3, 2025

Shai-Hulud-Worm

Ofek Haviv
September 18, 2025

Web Application Pen Testing: The Essential Guide

Learn more in this guide to web application penetration testing. Learn key steps, common vulnerabilities, and the importance of continuous testing with Terra.

Gal Malachi
February 11, 2025

Meet Terra Researchers

Ofir Hamam

Ofir Hamam

Researches real-world exploitation of CI/CD and continuous delivery workflows.

Gev Hadari

Gev Hadari

Researches real-world business logic and authorization vulnerabilities in SaaS applications.

Resources
Research
Blog
Customers
Partners
Testimonials
Company
About
Careers
Support
Legal
Privacy Policy
Terms of Service
© 2024-2026 Terra Security. All rights reserved.