Articles worth reading discovered last week. This week feels like a giant "how to find your own CVE"...
๐ค An Evening with Claude (Code)
A great write-up on finding CVE-2025-64755 impacting Claude Code. A mix of strategy and practical tricks to get started, and probably enough to help some readers find their own vulnerability: https://specterops.io/blog/2025/11/21/an-evening-with-claude-code/
โ๏ธ Gotchas in Email Parsing โ Lessons From Jakarta Mail
Another excellent post from Jia in the elttam team. It covers subtle traps in email parsing impacting Java, many of which apply easily to other languages as well: https://www.elttam.com/blog/jakarta-mail-primitives/. A great resource to keep handy if you are auditing applications that deal with emails ๐
๐ We Found Cryptography Bugs in the Elliptic Library Using Wycheproof
A blog post showing how "just" leveraging Wycheproof test vectors can lead directly to CVEs: https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof/
๐ฎ Breaking Oracleโs Identity Manager: Pre-Auth RCE (CVE-2025-61757)
Adam and Shubs share a pre-auth RCE in Oracle Identity Manager. Beyond the vulnerability itself, the attentive reader will pick up several key tricks between the lines: https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/
