Update rules/network/initial_access_react_server_components_rce_attempt.toml

terrancedejesus · Mikaayenson · web-flow · commit 0e2db42f7632 · 2025-12-05T12:38:04.000-05:00
Co-authored-by: Mika Ayenson, PhD &lt;Mikaayenson@users.noreply.github.com&gt;
diff --git a/rules/network/initial_access_react_server_components_rce_attempt.toml b/rules/network/initial_access_react_server_components_rce_attempt.toml
@@ -76,7 +76,8 @@ network where http.request.method == "POST" and
     // Successful CVE-2025-55182 RCE - command output in digest
     (
         http.response.status_code in (500, 303) and
-        http.response.body.content like~ "*E{\"digest\"*"
+        http.response.body.content like "*E{\"digest\"*" and
+        http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]*:[_a-zA-Z][_a-zA-Z0-9]*"""
     ) or
     // Prototype pollution patterns specific to RSC Flight exploitation
     (

Original file line number	Diff line number	Diff line change
`@@ -76,7 +76,8 @@ network where http.request.method == "POST" and`
`76`	`76`	`// Successful CVE-2025-55182 RCE - command output in digest`
`77`	`77`	`(`
`78`	`78`	`http.response.status_code in (500, 303) and`
`79`		`- http.response.body.content like~ "E{\"digest\""`
	`79`	`+ http.response.body.content like "E{\"digest\"" and`
	`80`	`+ http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]:[_a-zA-Z][_a-zA-Z0-9]"""`
`80`	`81`	`) or`
`81`	`82`	`// Prototype pollution patterns specific to RSC Flight exploitation`
`82`	`83`	`(`