From 5062dc6b3acc8b9c9f833c2e57b789ed8709d425 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 4 Dec 2025 13:46:02 -0500 Subject: [PATCH 01/13] [New Rule] BBR - Potential React.JS CVE-2025-55182 Exploit Attempt Fixes #5406 --- ...s_react_server_components_rce_attempt.toml | 119 ++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 rules_building_block/initial_access_react_server_components_rce_attempt.toml diff --git a/rules_building_block/initial_access_react_server_components_rce_attempt.toml b/rules_building_block/initial_access_react_server_components_rce_attempt.toml new file mode 100644 index 00000000000..825cc85406c --- /dev/null +++ b/rules_building_block/initial_access_react_server_components_rce_attempt.toml @@ -0,0 +1,119 @@ +[metadata] +bypass_bbr_timing = true +creation_date = "2025/12/04" +integration = ["network_traffic"] +maturity = "production" +updated_date = "2025/12/04" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution +vulnerability in React Server Components (RSC). The vulnerability exists in React versions 19.0.0 to 19.2.0 and Next.js +versions prior to 15.1.3, allowing attackers to execute arbitrary code on the server by sending specially crafted RSC +deserialization payloads. +""" +from = "now-9m" +interval = "8m" +language = "esql" +license = "Elastic License v2" +name = "Potential React Server Components RCE Attempt (CVE-2025-55182)" +note = """## Triage and analysis + +### Investigating Potential React Server Components RCE Attempt (CVE-2025-55182) + +This rule detects potential exploitation attempts against CVE-2025-55182/CVE-2025-66478, a critical CVSS 10.0 vulnerability affecting React 19.0.0-19.2.0 and Next.js versions prior to 15.1.3. The vulnerability allows remote code execution through malformed React Server Component (RSC) deserialization payloads. + +### Possible investigation steps + +- Examine the full HTTP request body to identify the specific attack payload variant (constructor chain, __proto__ access, or malformed references). +- Identify the target application and verify if it runs vulnerable React or Next.js versions. +- Review the source IP for other reconnaissance or exploitation attempts against web applications. +- Check if any proof-of-exploitation files were created on the server (common RCE validation technique). +- Correlate with process execution logs to identify if child processes were spawned by the web server. + +### False positive analysis + +- Legitimate React Server Components traffic may contain `$ACTION_` patterns but should NOT contain `constructor`, `__proto__`, or malformed references like `$N:a:a` as property paths. +- Developer testing or security scanning tools may trigger this rule during authorized penetration testing. +- The combination of `$ACTION_REF` with prototype-related strings is a strong indicator of exploitation attempt. +- Testing environments from tools such as [react2shell-scanner](https://github.com/assetnote/react2shell-scanner). + +### Response and remediation + +- Immediately update affected applications to patched versions +- Block the source IP at the WAF/reverse proxy if exploitation is confirmed. +- If HTTP 500 responses were observed, assume the vulnerable code path was triggered and investigate for potential compromise. +- Review application logs for any evidence of successful code execution. +- Consider implementing input validation for RSC payloads at the application layer. +""" +references = [ + "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", + "https://github.com/assetnote/react2shell-scanner", + "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", +] +risk_score = 47 +rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f" +severity = "medium" +tags = [ + "Domain: Network", + "Domain: Application", + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Network Packet Capture", + "Rule Type: BBR", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-network_traffic.http-* metadata _id, _version, _index +| WHERE http.request.method == "POST" + AND ( + http.request.body.content LIKE "*$ACTION_REF*" + OR http.request.body.content LIKE "*$ACTION_*:*" + ) + AND ( + http.request.body.content LIKE "*constructor*" + OR http.request.body.content LIKE "*__proto__*" + OR http.request.body.content LIKE "*prototype*" + OR http.request.body.content RLIKE """\$\d+:[a-z]+:[a-z]+""" + ) +| KEEP * +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + From 4a8ac09233f5214a89edad12aaaebe1c7ce1bcd9 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 4 Dec 2025 13:53:25 -0500 Subject: [PATCH 02/13] updated descriptions --- ...initial_access_react_server_components_rce_attempt.toml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules_building_block/initial_access_react_server_components_rce_attempt.toml b/rules_building_block/initial_access_react_server_components_rce_attempt.toml index 825cc85406c..ff9f016635a 100644 --- a/rules_building_block/initial_access_react_server_components_rce_attempt.toml +++ b/rules_building_block/initial_access_react_server_components_rce_attempt.toml @@ -10,9 +10,8 @@ author = ["Elastic"] building_block_type = "default" description = """ This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution -vulnerability in React Server Components (RSC). The vulnerability exists in React versions 19.0.0 to 19.2.0 and Next.js -versions prior to 15.1.3, allowing attackers to execute arbitrary code on the server by sending specially crafted RSC -deserialization payloads. +vulnerability in React Server Components (RSC). The vulnerability allows attackers to execute arbitrary code on the +server by sending specially crafted RSC deserialization payloads. """ from = "now-9m" interval = "8m" @@ -23,7 +22,7 @@ note = """## Triage and analysis ### Investigating Potential React Server Components RCE Attempt (CVE-2025-55182) -This rule detects potential exploitation attempts against CVE-2025-55182/CVE-2025-66478, a critical CVSS 10.0 vulnerability affecting React 19.0.0-19.2.0 and Next.js versions prior to 15.1.3. The vulnerability allows remote code execution through malformed React Server Component (RSC) deserialization payloads. +This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC). ### Possible investigation steps From 19eb423b7912a08c9b0111e05e8d12107bcd7f59 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 4 Dec 2025 14:07:23 -0500 Subject: [PATCH 03/13] changed to EQL --- ...s_react_server_components_rce_attempt.toml | 30 +++++++++---------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/rules_building_block/initial_access_react_server_components_rce_attempt.toml b/rules_building_block/initial_access_react_server_components_rce_attempt.toml index ff9f016635a..80febf6fbb0 100644 --- a/rules_building_block/initial_access_react_server_components_rce_attempt.toml +++ b/rules_building_block/initial_access_react_server_components_rce_attempt.toml @@ -14,8 +14,8 @@ vulnerability in React Server Components (RSC). The vulnerability allows attacke server by sending specially crafted RSC deserialization payloads. """ from = "now-9m" -interval = "8m" -language = "esql" +index = ["logs-network_traffic.http*"] +language = "eql" license = "Elastic License v2" name = "Potential React Server Components RCE Attempt (CVE-2025-55182)" note = """## Triage and analysis @@ -67,22 +67,20 @@ tags = [ "Resources: Investigation Guide", ] timestamp_override = "event.ingested" -type = "esql" +type = "eql" query = ''' -FROM logs-network_traffic.http-* metadata _id, _version, _index -| WHERE http.request.method == "POST" - AND ( - http.request.body.content LIKE "*$ACTION_REF*" - OR http.request.body.content LIKE "*$ACTION_*:*" - ) - AND ( - http.request.body.content LIKE "*constructor*" - OR http.request.body.content LIKE "*__proto__*" - OR http.request.body.content LIKE "*prototype*" - OR http.request.body.content RLIKE """\$\d+:[a-z]+:[a-z]+""" - ) -| KEEP * +network where event.category == "network" and http.request.method == "POST" and + ( + http.request.body.content like~ "*$ACTION_REF*" or + http.request.body.content like~ "*$ACTION_*:*" + ) and + ( + http.request.body.content like~ "*constructor*" or + http.request.body.content like~ "*__proto__*" or + http.request.body.content like~ "*prototype*" or + http.request.body.content regex~ """\$\d+:[a-z]+:[a-z]+""" + ) ''' From 0bdd6ad5bfc382095ae2d15b32eeacbf8eebe247 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 4 Dec 2025 14:42:17 -0500 Subject: [PATCH 04/13] adjusted note --- .../initial_access_react_server_components_rce_attempt.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules_building_block/initial_access_react_server_components_rce_attempt.toml b/rules_building_block/initial_access_react_server_components_rce_attempt.toml index 80febf6fbb0..bba9fdc619e 100644 --- a/rules_building_block/initial_access_react_server_components_rce_attempt.toml +++ b/rules_building_block/initial_access_react_server_components_rce_attempt.toml @@ -26,7 +26,7 @@ This rule detects potential exploitation attempts targeting CVE-2025-55182, a cr ### Possible investigation steps -- Examine the full HTTP request body to identify the specific attack payload variant (constructor chain, __proto__ access, or malformed references). +- Examine the full HTTP request body to identify the specific attack payload variant. - Identify the target application and verify if it runs vulnerable React or Next.js versions. - Review the source IP for other reconnaissance or exploitation attempts against web applications. - Check if any proof-of-exploitation files were created on the server (common RCE validation technique). @@ -34,9 +34,9 @@ This rule detects potential exploitation attempts targeting CVE-2025-55182, a cr ### False positive analysis -- Legitimate React Server Components traffic may contain `$ACTION_` patterns but should NOT contain `constructor`, `__proto__`, or malformed references like `$N:a:a` as property paths. +- Legitimate React Server Components traffic may contain specific patterns but should NOT contain constructor strings, or malformed references as property paths. - Developer testing or security scanning tools may trigger this rule during authorized penetration testing. -- The combination of `$ACTION_REF` with prototype-related strings is a strong indicator of exploitation attempt. +- The combination of constructor or prototype strings with specific patterns is highly indicative of malicious activity. - Testing environments from tools such as [react2shell-scanner](https://github.com/assetnote/react2shell-scanner). ### Response and remediation From 8df9f49dd3504ce2f9c7fca627e7bdd70f261a36 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Thu, 4 Dec 2025 18:52:35 -0500 Subject: [PATCH 05/13] Update rules_building_block/initial_access_react_server_components_rce_attempt.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- .../initial_access_react_server_components_rce_attempt.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules_building_block/initial_access_react_server_components_rce_attempt.toml b/rules_building_block/initial_access_react_server_components_rce_attempt.toml index bba9fdc619e..ee356b0c21e 100644 --- a/rules_building_block/initial_access_react_server_components_rce_attempt.toml +++ b/rules_building_block/initial_access_react_server_components_rce_attempt.toml @@ -70,7 +70,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where event.category == "network" and http.request.method == "POST" and +network where http.request.method == "POST" and ( http.request.body.content like~ "*$ACTION_REF*" or http.request.body.content like~ "*$ACTION_*:*" From ac4dd69ea2545eba4bff11d0cd2b155fd73f17a3 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 5 Dec 2025 11:24:27 -0500 Subject: [PATCH 06/13] adjusted query --- ...s_react_server_components_rce_attempt.toml | 126 ++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 rules/network/initial_access_react_server_components_rce_attempt.toml diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml new file mode 100644 index 00000000000..45d1c98b7fb --- /dev/null +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -0,0 +1,126 @@ +[metadata] +creation_date = "2025/12/04" +integration = ["network_traffic"] +maturity = "production" +updated_date = "2025/12/04" + +[rule] +author = ["Elastic"] +description = """ +This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution +vulnerability in React Server Components (RSC). The vulnerability allows attackers to execute arbitrary code on the +server by sending specially crafted RSC deserialization payloads. +""" +from = "now-9m" +index = ["logs-network_traffic.http*"] +language = "eql" +license = "Elastic License v2" +name = "Potential React Server Components RCE Attempt (CVE-2025-55182)" +note = """## Triage and analysis + +### Investigating Potential React Server Components RCE Attempt (CVE-2025-55182) + +This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC). + +### Possible investigation steps + +- Examine the full HTTP request body to identify the specific attack payload variant. +- Identify the target application and verify if it runs vulnerable React or Next.js versions. +- Review the source IP for other reconnaissance or exploitation attempts against web applications. +- Check if any proof-of-exploitation files were created on the server (common RCE validation technique). +- Correlate with process execution logs to identify if child processes were spawned by the web server. + +### False positive analysis + +- Legitimate React Server Components traffic may contain specific patterns but should NOT contain constructor strings, or malformed references as property paths. +- Developer testing or security scanning tools may trigger this rule during authorized penetration testing. +- The combination of constructor or prototype strings with specific patterns is highly indicative of malicious activity. +- Testing environments from tools such as [react2shell-scanner](https://github.com/assetnote/react2shell-scanner). + +### Response and remediation + +- Immediately update affected applications to patched versions +- Block the source IP at the WAF/reverse proxy if exploitation is confirmed. +- If HTTP 500 or 303 responses were observed, assume the vulnerable code path was triggered and investigate for potential compromise. +- Review application logs for any evidence of successful code execution. +- Consider implementing input validation for RSC payloads at the application layer. +""" +references = [ + "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", + "https://github.com/assetnote/react2shell-scanner", + "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", + "https://github.com/msanft/CVE-2025-55182" +] +risk_score = 47 +rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f" +severity = "medium" +tags = [ + "Domain: Network", + "Domain: Application", + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Network Packet Capture", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +network where http.request.method == "POST" and +( + // Specific CVE-2025-55182 RCE indicators + ( + http.response.status_code in (500, 303) and + http.response.body.content like~ "*E{\"digest\"*" and + http.request.body.content like~ "*.execSync(*" + ) or + // Prototype pollution patterns in Flight protocol + ( + http.request.body.content like~ "*__proto__*" or + http.request.body.content like~ "*constructor:constructor*" or + http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]*:[_a-zA-Z][_a-zA-Z0-9]*""" + ) or + // Node.js code execution attempts + ( + http.request.body.content like~ "*require('child_process')*" or + http.request.body.content like~ "*require(\"child_process\")*" or + http.request.body.content like~ "*process.mainModule*" or + http.request.body.content like~ "*.exec(*" or + http.request.body.content like~ "*.spawn(*" + ) +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + From aeaa6eea7986a123beb73b7900a9212ed349d19f Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 5 Dec 2025 11:55:38 -0500 Subject: [PATCH 07/13] adding anomalous RSC BBR rule; adusted query to be react2shell RCE specific --- ...s_react_server_components_rce_attempt.toml | 65 +++++----- ...ss_anomalous_rsc_flight_data_patterns.toml | 116 ++++++++++++++++++ 2 files changed, 147 insertions(+), 34 deletions(-) create mode 100644 rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml index 45d1c98b7fb..f673fa164ea 100644 --- a/rules/network/initial_access_react_server_components_rce_attempt.toml +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -2,48 +2,50 @@ creation_date = "2025/12/04" integration = ["network_traffic"] maturity = "production" -updated_date = "2025/12/04" +updated_date = "2025/12/05" [rule] author = ["Elastic"] description = """ -This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution -vulnerability in React Server Components (RSC). The vulnerability allows attackers to execute arbitrary code on the -server by sending specially crafted RSC deserialization payloads. +This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in +React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the +server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the +Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful +command execution responses and prototype pollution attack patterns. """ from = "now-9m" index = ["logs-network_traffic.http*"] language = "eql" license = "Elastic License v2" -name = "Potential React Server Components RCE Attempt (CVE-2025-55182)" +name = "React2Shell (CVE-2025-55182) Exploitation Attempt" note = """## Triage and analysis -### Investigating Potential React Server Components RCE Attempt (CVE-2025-55182) +### Investigating React2Shell (CVE-2025-55182) Exploitation Attempt -This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC). +This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React's Flight protocol used by Next.js and other RSC implementations. The vulnerability stems from insecure prototype chain traversal in the Flight deserializer, allowing attackers to access `__proto__`, `constructor`, and ultimately the `Function` constructor to execute arbitrary code. ### Possible investigation steps -- Examine the full HTTP request body to identify the specific attack payload variant. -- Identify the target application and verify if it runs vulnerable React or Next.js versions. +- Examine the full HTTP request body to identify the specific attack payload and command being executed. +- Check the response body for `E{"digest":"..."}` patterns which contain command output from successful exploitation. +- Identify the target application and verify if it runs vulnerable React (< 19.1.0) or Next.js (< 15.3.2) versions. - Review the source IP for other reconnaissance or exploitation attempts against web applications. -- Check if any proof-of-exploitation files were created on the server (common RCE validation technique). -- Correlate with process execution logs to identify if child processes were spawned by the web server. +- Check for the `Next-Action` header which is required for the exploit to work. +- Correlate with process execution logs to identify if child processes (e.g., shell commands) were spawned by the Node.js process. ### False positive analysis -- Legitimate React Server Components traffic may contain specific patterns but should NOT contain constructor strings, or malformed references as property paths. -- Developer testing or security scanning tools may trigger this rule during authorized penetration testing. -- The combination of constructor or prototype strings with specific patterns is highly indicative of malicious activity. -- Testing environments from tools such as [react2shell-scanner](https://github.com/assetnote/react2shell-scanner). +- Legitimate React Server Components traffic will NOT contain `__proto__`, `constructor:constructor`, or code execution patterns. +- Security scanning tools like react2shell-scanner may trigger this rule during authorized penetration testing. +- The combination of prototype pollution patterns with RSC-specific syntax is highly indicative of malicious activity. ### Response and remediation -- Immediately update affected applications to patched versions +- Immediately update affected applications: React >= 19.1.0, Next.js >= 15.3.2. - Block the source IP at the WAF/reverse proxy if exploitation is confirmed. -- If HTTP 500 or 303 responses were observed, assume the vulnerable code path was triggered and investigate for potential compromise. -- Review application logs for any evidence of successful code execution. -- Consider implementing input validation for RSC payloads at the application layer. +- If HTTP 500 or 303 responses with `digest` output were observed, assume successful code execution and investigate for compromise. +- Review server logs for evidence of command execution (file creation, network connections, process spawning). +- Implement WAF rules to block requests containing `__proto__` or `constructor:constructor` in POST bodies. """ references = [ "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", @@ -51,14 +53,15 @@ references = [ "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", "https://github.com/msanft/CVE-2025-55182" ] -risk_score = 47 +risk_score = 73 rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f" -severity = "medium" +severity = "high" tags = [ "Domain: Network", "Domain: Application", "Domain: Web", "Use Case: Threat Detection", + "Use Case: Vulnerability", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Network Packet Capture", @@ -70,25 +73,19 @@ type = "eql" query = ''' network where http.request.method == "POST" and ( - // Specific CVE-2025-55182 RCE indicators + // Successful CVE-2025-55182 RCE - command output in digest ( http.response.status_code in (500, 303) and - http.response.body.content like~ "*E{\"digest\"*" and - http.request.body.content like~ "*.execSync(*" + http.response.body.content like~ "*E{\"digest\"*" ) or - // Prototype pollution patterns in Flight protocol + // Prototype pollution patterns specific to RSC Flight exploitation ( - http.request.body.content like~ "*__proto__*" or - http.request.body.content like~ "*constructor:constructor*" or - http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]*:[_a-zA-Z][_a-zA-Z0-9]*""" + http.request.body.content like~ "*__proto__*" and + http.request.body.content like~ "*constructor*" ) or - // Node.js code execution attempts + // RSC Flight chunk reference exploitation pattern ($N:property:property) ( - http.request.body.content like~ "*require('child_process')*" or - http.request.body.content like~ "*require(\"child_process\")*" or - http.request.body.content like~ "*process.mainModule*" or - http.request.body.content like~ "*.exec(*" or - http.request.body.content like~ "*.spawn(*" + http.request.body.content regex~ """\$\d+:__proto__:[_a-zA-Z][_a-zA-Z0-9]*""" ) ) ''' diff --git a/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml new file mode 100644 index 00000000000..c36f294c963 --- /dev/null +++ b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml @@ -0,0 +1,116 @@ +[metadata] +creation_date = "2025/12/05" +integration = ["network_traffic"] +maturity = "production" +updated_date = "2025/12/05" + +[rule] +author = ["Elastic"] +building_block_type = "default" +description = """ +This rule detects anomalous patterns in React Server Components (RSC) Flight protocol data streams that may indicate +code injection or exploitation attempts. The Flight protocol is used by React and Next.js for server-client +communication, and should never contain Node.js code execution primitives like child_process, fs module calls, or +eval patterns. This building block rule casts a wider net to identify suspicious payloads that warrant further +investigation. +""" +from = "now-9m" +index = ["logs-network_traffic.http*"] +language = "eql" +license = "Elastic License v2" +name = "Anomalous React Server Components Flight Data Patterns" +references = [ + "https://react.dev/reference/rsc/server-components", + "https://github.com/facebook/react/blob/main/packages/react-server/src/ReactFlightServer.js", + "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", + "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", + "https://nextjs.org/docs/app/building-your-application/rendering/server-components", + "https://tonyalicea.dev/blog/understanding-react-server-components/" +] +risk_score = 21 +rule_id = "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e" +severity = "low" +tags = [ + "Domain: Network", + "Domain: Application", + "Domain: Web", + "Use Case: Threat Detection", + "Tactic: Initial Access", + "Tactic: Execution", + "Data Source: Network Packet Capture", + "Rule Type: BBR", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +network where http.request.method == "POST" and http.response.status_code != 200 +( + // Node.js child_process module + ( + http.request.body.content like~ "*require('child_process')*" or + http.request.body.content like~ "*require(\"child_process\")*" or + http.request.body.content like~ "*child_process*" and http.request.body.content like~ "*.exec*" + ) or + // Node.js synchronous execution methods + ( + http.request.body.content like~ "*.execSync(*" or + http.request.body.content like~ "*.spawnSync(*" or + http.request.body.content like~ "*.execFileSync(*" + ) or + // Node.js file system operations - suspicious in RSC context + ( + http.request.body.content like~ "*require('fs')*" or + http.request.body.content like~ "*require(\"fs\")*" or + http.request.body.content like~ "*.readFileSync(*" or + http.request.body.content like~ "*.writeFileSync(*" or + http.request.body.content like~ "*.unlinkSync(*" + ) or + // Process and module access patterns used in exploitation + ( + http.request.body.content like~ "*process.mainModule*" or + http.request.body.content like~ "*process.binding*" or + http.request.body.content like~ "*process.dlopen*" + ) or + // JavaScript code execution primitives + ( + http.request.body.content like~ "*eval(*" and http.request.body.content like~ "*require*" or + http.request.body.content like~ "*Function(*" and http.request.body.content like~ "*return*" + ) or + // Generic prototype pollution indicators + ( + http.request.body.content like~ "*prototype*" and http.request.body.content like~ "*constructor*" + ) +) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1190" +name = "Exploit Public-Facing Application" +reference = "https://attack.mitre.org/techniques/T1190/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/" + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.007" +name = "JavaScript" +reference = "https://attack.mitre.org/techniques/T1059/007/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" From eaf4e9e0c2103e4f8839825d6c9f931271419a5c Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 5 Dec 2025 11:58:12 -0500 Subject: [PATCH 08/13] updated BBR --- ...ccess_react_server_components_rce_attempt.toml | 6 +++--- ...access_anomalous_rsc_flight_data_patterns.toml | 15 ++++++++------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml index f673fa164ea..b27c8baee97 100644 --- a/rules/network/initial_access_react_server_components_rce_attempt.toml +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -10,8 +10,8 @@ description = """ This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the -Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful -command execution responses and prototype pollution attack patterns. +Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful command +execution responses and prototype pollution attack patterns. """ from = "now-9m" index = ["logs-network_traffic.http*"] @@ -51,7 +51,7 @@ references = [ "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", "https://github.com/assetnote/react2shell-scanner", "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", - "https://github.com/msanft/CVE-2025-55182" + "https://github.com/msanft/CVE-2025-55182", ] risk_score = 73 rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f" diff --git a/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml index c36f294c963..2e625988a7e 100644 --- a/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml +++ b/rules_building_block/initial_access_anomalous_rsc_flight_data_patterns.toml @@ -10,12 +10,12 @@ building_block_type = "default" description = """ This rule detects anomalous patterns in React Server Components (RSC) Flight protocol data streams that may indicate code injection or exploitation attempts. The Flight protocol is used by React and Next.js for server-client -communication, and should never contain Node.js code execution primitives like child_process, fs module calls, or -eval patterns. This building block rule casts a wider net to identify suspicious payloads that warrant further -investigation. +communication, and should never contain Node.js code execution primitives like child_process, fs module calls, or eval +patterns. This building block rule casts a wider net to identify suspicious payloads that warrant further investigation. """ -from = "now-9m" +from = "now-119m" index = ["logs-network_traffic.http*"] +interval = "60m" language = "eql" license = "Elastic License v2" name = "Anomalous React Server Components Flight Data Patterns" @@ -25,7 +25,7 @@ references = [ "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", "https://nextjs.org/docs/app/building-your-application/rendering/server-components", - "https://tonyalicea.dev/blog/understanding-react-server-components/" + "https://tonyalicea.dev/blog/understanding-react-server-components/", ] risk_score = 21 rule_id = "b9c8d7e6-5a4f-3c2b-1d0e-9f8a7b6c5d4e" @@ -44,7 +44,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -network where http.request.method == "POST" and http.response.status_code != 200 +network where http.request.method == "POST" and http.response.status_code != 200 and ( // Node.js child_process module ( @@ -97,7 +97,6 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -110,7 +109,9 @@ name = "JavaScript" reference = "https://attack.mitre.org/techniques/T1059/007/" + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + From f40169cca5d25ee236addc9e58603dc000b0fd40 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 5 Dec 2025 11:59:35 -0500 Subject: [PATCH 09/13] removed BBR react2shell rule --- ...s_react_server_components_rce_attempt.toml | 116 ------------------ 1 file changed, 116 deletions(-) delete mode 100644 rules_building_block/initial_access_react_server_components_rce_attempt.toml diff --git a/rules_building_block/initial_access_react_server_components_rce_attempt.toml b/rules_building_block/initial_access_react_server_components_rce_attempt.toml deleted file mode 100644 index ee356b0c21e..00000000000 --- a/rules_building_block/initial_access_react_server_components_rce_attempt.toml +++ /dev/null @@ -1,116 +0,0 @@ -[metadata] -bypass_bbr_timing = true -creation_date = "2025/12/04" -integration = ["network_traffic"] -maturity = "production" -updated_date = "2025/12/04" - -[rule] -author = ["Elastic"] -building_block_type = "default" -description = """ -This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution -vulnerability in React Server Components (RSC). The vulnerability allows attackers to execute arbitrary code on the -server by sending specially crafted RSC deserialization payloads. -""" -from = "now-9m" -index = ["logs-network_traffic.http*"] -language = "eql" -license = "Elastic License v2" -name = "Potential React Server Components RCE Attempt (CVE-2025-55182)" -note = """## Triage and analysis - -### Investigating Potential React Server Components RCE Attempt (CVE-2025-55182) - -This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC). - -### Possible investigation steps - -- Examine the full HTTP request body to identify the specific attack payload variant. -- Identify the target application and verify if it runs vulnerable React or Next.js versions. -- Review the source IP for other reconnaissance or exploitation attempts against web applications. -- Check if any proof-of-exploitation files were created on the server (common RCE validation technique). -- Correlate with process execution logs to identify if child processes were spawned by the web server. - -### False positive analysis - -- Legitimate React Server Components traffic may contain specific patterns but should NOT contain constructor strings, or malformed references as property paths. -- Developer testing or security scanning tools may trigger this rule during authorized penetration testing. -- The combination of constructor or prototype strings with specific patterns is highly indicative of malicious activity. -- Testing environments from tools such as [react2shell-scanner](https://github.com/assetnote/react2shell-scanner). - -### Response and remediation - -- Immediately update affected applications to patched versions -- Block the source IP at the WAF/reverse proxy if exploitation is confirmed. -- If HTTP 500 responses were observed, assume the vulnerable code path was triggered and investigate for potential compromise. -- Review application logs for any evidence of successful code execution. -- Consider implementing input validation for RSC payloads at the application layer. -""" -references = [ - "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", - "https://github.com/assetnote/react2shell-scanner", - "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", -] -risk_score = 47 -rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f" -severity = "medium" -tags = [ - "Domain: Network", - "Domain: Application", - "Domain: Web", - "Use Case: Threat Detection", - "Tactic: Initial Access", - "Tactic: Execution", - "Data Source: Network Packet Capture", - "Rule Type: BBR", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -network where http.request.method == "POST" and - ( - http.request.body.content like~ "*$ACTION_REF*" or - http.request.body.content like~ "*$ACTION_*:*" - ) and - ( - http.request.body.content like~ "*constructor*" or - http.request.body.content like~ "*__proto__*" or - http.request.body.content like~ "*prototype*" or - http.request.body.content regex~ """\$\d+:[a-z]+:[a-z]+""" - ) -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1190" -name = "Exploit Public-Facing Application" -reference = "https://attack.mitre.org/techniques/T1190/" - - -[rule.threat.tactic] -id = "TA0001" -name = "Initial Access" -reference = "https://attack.mitre.org/tactics/TA0001/" -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1059" -name = "Command and Scripting Interpreter" -reference = "https://attack.mitre.org/techniques/T1059/" -[[rule.threat.technique.subtechnique]] -id = "T1059.007" -name = "JavaScript" -reference = "https://attack.mitre.org/techniques/T1059/007/" - - - -[rule.threat.tactic] -id = "TA0002" -name = "Execution" -reference = "https://attack.mitre.org/tactics/TA0002/" - From 9b078ddc09e0ca10a954dc7d1cace8af5aec428c Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 5 Dec 2025 12:01:33 -0500 Subject: [PATCH 10/13] adjusted regex to not be proto focused --- .../initial_access_react_server_components_rce_attempt.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml index b27c8baee97..4c6ac0d4981 100644 --- a/rules/network/initial_access_react_server_components_rce_attempt.toml +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -85,7 +85,7 @@ network where http.request.method == "POST" and ) or // RSC Flight chunk reference exploitation pattern ($N:property:property) ( - http.request.body.content regex~ """\$\d+:__proto__:[_a-zA-Z][_a-zA-Z0-9]*""" + http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]*:[_a-zA-Z][_a-zA-Z0-9]*""" ) ) ''' From 0e2db42f76326a28e86ed97721b58877d9470a09 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Fri, 5 Dec 2025 12:38:04 -0500 Subject: [PATCH 11/13] Update rules/network/initial_access_react_server_components_rce_attempt.toml Co-authored-by: Mika Ayenson, PhD --- .../initial_access_react_server_components_rce_attempt.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml index 4c6ac0d4981..704bca5e6c4 100644 --- a/rules/network/initial_access_react_server_components_rce_attempt.toml +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -76,7 +76,8 @@ network where http.request.method == "POST" and // Successful CVE-2025-55182 RCE - command output in digest ( http.response.status_code in (500, 303) and - http.response.body.content like~ "*E{\"digest\"*" + http.response.body.content like "*E{\"digest\"*" and + http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]*:[_a-zA-Z][_a-zA-Z0-9]*""" ) or // Prototype pollution patterns specific to RSC Flight exploitation ( From b4e0af1103261b495b7e549d1b8598fa147e7b49 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 5 Dec 2025 12:52:48 -0500 Subject: [PATCH 12/13] adjusted query --- ...ccess_react_server_components_rce_attempt.toml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml index 704bca5e6c4..5b233865ed9 100644 --- a/rules/network/initial_access_react_server_components_rce_attempt.toml +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -77,16 +77,15 @@ network where http.request.method == "POST" and ( http.response.status_code in (500, 303) and http.response.body.content like "*E{\"digest\"*" and - http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]*:[_a-zA-Z][_a-zA-Z0-9]*""" + http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" + ) or // Prototype pollution patterns specific to RSC Flight exploitation - ( - http.request.body.content like~ "*__proto__*" and - http.request.body.content like~ "*constructor*" - ) or - // RSC Flight chunk reference exploitation pattern ($N:property:property) - ( - http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]*:[_a-zA-Z][_a-zA-Z0-9]*""" + ( http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" and ( + ( + http.request.body.content like~ "*__proto__*" or + http.request.body.content like~ "*prototype*" + ) and http.request.body.content like~ "*constructor*") ) ) ''' From cdb34d7ff895cee448d076006b1c954c6fa0c91d Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Fri, 5 Dec 2025 16:09:25 -0500 Subject: [PATCH 13/13] removed constructor requirement --- ...ial_access_react_server_components_rce_attempt.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml index 5b233865ed9..3742e5f28eb 100644 --- a/rules/network/initial_access_react_server_components_rce_attempt.toml +++ b/rules/network/initial_access_react_server_components_rce_attempt.toml @@ -76,16 +76,16 @@ network where http.request.method == "POST" and // Successful CVE-2025-55182 RCE - command output in digest ( http.response.status_code in (500, 303) and - http.response.body.content like "*E{\"digest\"*" and + http.response.body.content like~ "*E{\"digest\"*" and http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" - ) or - // Prototype pollution patterns specific to RSC Flight exploitation - ( http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" and ( + // Prototype pollution attempts in RSC Flight data (never legitimate) + ( + http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" and ( http.request.body.content like~ "*__proto__*" or http.request.body.content like~ "*prototype*" - ) and http.request.body.content like~ "*constructor*") + ) ) ) '''