Security Incident Update, Fixes, and Service Status
We’re sharing a transparent update about a recent security issue that impacted parts of our platform and the steps we’ve taken to resolve it.
Summary
On December 3, 2025, a critical Remote Code Execution (RCE) vulnerability was disclosed in the Next.js frontend framework. Shortly after disclosure, we detected suspicious activity in our production environment consistent with this vulnerability.
We immediately treated this event as high severity and executed our incident response plan. While unauthorized code execution and user creation were detected on the frontend infrastructure, we have found no evidence that customer data was exfiltrated.
All services have been patched, servers have been rebuilt from clean backups, and enhanced monitoring is currently in place.
Incident Overview & Details
On 3rd of December, 4:43 PM GMT +1 2025, a newly disclosed vulnerability in Next.js (our frontend framework) was publicly reported by Vercel. This issue could allow an attacker to run commands on a server. Shortly after, we detected suspicious activity in our production environment consistent with this vulnerability: an automated search for JavaScript files and the creation of two unauthorized user accounts.
Internal Impact: Our “Testpod” frontend application was running a vulnerable version (Next.js 15.0.3) at the time of the attack.
Investigative Findings (Forensics)
Our security team identified that the activity was isolated to the frontend infrastructure. The attacker exploited the vulnerability to execute the following actions:
- Reconnaissance: An automated search was performed to locate JavaScript files within the directory /testpod-frontend-prod.
- Command detected: find . -type f -name *.js.
- Unauthorized Access: Two unauthorized user accounts were created on the server.
Log evidence:
/var/log/auth.log: Dec 5 13:27:28 … useradd … new user name zBACHT?
/var/log/auth.log: Dec 5 13:28:49 … useradd … new user name 2CGXBPmB
`find . -type f -name *.js`
The attacker ran code to find js file from this directory:
Being the directory housing the NextJS code.
The malicious accounts created had no privilege beyond the directory in which they were created, a directory that houses no sensitive information.
Remediation
- Patched to fixed Next.js versions:
- Testpod Staging: 15.0.3 → 15.0.5
- Testpod Production: 15.0.3 → 15.0.5
- Rova Staging: 15.4.4 → 15.4.8
- Rebuilt the affected production server from a clean backup (Dec 4, 2025 (9:00PM-1:00AM GMT+1)).
- Restored MongoDB data and connections.
- Rotated credentials, audited access logs, and tightened server command permissions.
Next.js versions updated accordingly:
| App | Vulnerable version | Patched fix version |
|---|---|---|
|
Testpod staging |
15.0.3 |
15.0.5 |
|
Testpod production |
15.0.3 |
15.0.5 |
|
Rova staging |
15.4.4 |
15.4.8 |
Current status
- All services are running on patched builds.
- Enhanced monitoring is in place. We will continue to watch for anomalies and provide updates if anything changes.
- You can check our status page for real time status updates for all our services.
What you may notice
- Brief maintenance windows tied to patching and restoration work.
- No action needed from you at this time. If we identify any customer-specific impact, we’ll reach out directly.
Future Prevention Strategy
- Faster patch SLAs for critical vulnerabilities.
- Expanded pre‑production security checks for open‑source dependencies.
- Stronger server hardening and least‑privilege access.
- Improved alerting around unusual command execution and account creation.
If you have questions, please reach out through our Help Center or support channel. We’ll continue to prioritize security and reliability and keep this post updated if new information emerges.