|
| 1 | +[metadata] |
| 2 | +bypass_bbr_timing = true |
| 3 | +creation_date = "2025/12/04" |
| 4 | +integration = ["network_traffic"] |
| 5 | +maturity = "production" |
| 6 | +updated_date = "2025/12/04" |
| 7 | + |
| 8 | +[rule] |
| 9 | +author = ["Elastic"] |
| 10 | +building_block_type = "default" |
| 11 | +description = """ |
| 12 | +This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution |
| 13 | +vulnerability in React Server Components (RSC). The vulnerability exists in React versions 19.0.0 to 19.2.0 and Next.js |
| 14 | +versions prior to 15.1.3, allowing attackers to execute arbitrary code on the server by sending specially crafted RSC |
| 15 | +deserialization payloads. |
| 16 | +""" |
| 17 | +from = "now-9m" |
| 18 | +interval = "8m" |
| 19 | +language = "esql" |
| 20 | +license = "Elastic License v2" |
| 21 | +name = "Potential React Server Components RCE Attempt (CVE-2025-55182)" |
| 22 | +note = """## Triage and analysis |
| 23 | +
|
| 24 | +### Investigating Potential React Server Components RCE Attempt (CVE-2025-55182) |
| 25 | +
|
| 26 | +This rule detects potential exploitation attempts against CVE-2025-55182/CVE-2025-66478, a critical CVSS 10.0 vulnerability affecting React 19.0.0-19.2.0 and Next.js versions prior to 15.1.3. The vulnerability allows remote code execution through malformed React Server Component (RSC) deserialization payloads. |
| 27 | +
|
| 28 | +### Possible investigation steps |
| 29 | +
|
| 30 | +- Examine the full HTTP request body to identify the specific attack payload variant (constructor chain, __proto__ access, or malformed references). |
| 31 | +- Identify the target application and verify if it runs vulnerable React or Next.js versions. |
| 32 | +- Review the source IP for other reconnaissance or exploitation attempts against web applications. |
| 33 | +- Check if any proof-of-exploitation files were created on the server (common RCE validation technique). |
| 34 | +- Correlate with process execution logs to identify if child processes were spawned by the web server. |
| 35 | +
|
| 36 | +### False positive analysis |
| 37 | +
|
| 38 | +- Legitimate React Server Components traffic may contain `$ACTION_` patterns but should NOT contain `constructor`, `__proto__`, or malformed references like `$N:a:a` as property paths. |
| 39 | +- Developer testing or security scanning tools may trigger this rule during authorized penetration testing. |
| 40 | +- The combination of `$ACTION_REF` with prototype-related strings is a strong indicator of exploitation attempt. |
| 41 | +- Testing environments from tools such as [react2shell-scanner](https://github.com/assetnote/react2shell-scanner). |
| 42 | +
|
| 43 | +### Response and remediation |
| 44 | +
|
| 45 | +- Immediately update affected applications to patched versions |
| 46 | +- Block the source IP at the WAF/reverse proxy if exploitation is confirmed. |
| 47 | +- If HTTP 500 responses were observed, assume the vulnerable code path was triggered and investigate for potential compromise. |
| 48 | +- Review application logs for any evidence of successful code execution. |
| 49 | +- Consider implementing input validation for RSC payloads at the application layer. |
| 50 | +""" |
| 51 | +references = [ |
| 52 | + "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", |
| 53 | + "https://github.com/assetnote/react2shell-scanner", |
| 54 | + "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", |
| 55 | +] |
| 56 | +risk_score = 47 |
| 57 | +rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f" |
| 58 | +severity = "medium" |
| 59 | +tags = [ |
| 60 | + "Domain: Network", |
| 61 | + "Domain: Application", |
| 62 | + "Domain: Web", |
| 63 | + "Use Case: Threat Detection", |
| 64 | + "Tactic: Initial Access", |
| 65 | + "Tactic: Execution", |
| 66 | + "Data Source: Network Packet Capture", |
| 67 | + "Rule Type: BBR", |
| 68 | + "Resources: Investigation Guide", |
| 69 | +] |
| 70 | +timestamp_override = "event.ingested" |
| 71 | +type = "esql" |
| 72 | + |
| 73 | +query = ''' |
| 74 | +FROM logs-network_traffic.http-* metadata _id, _version, _index |
| 75 | +| WHERE http.request.method == "POST" |
| 76 | + AND ( |
| 77 | + http.request.body.content LIKE "*$ACTION_REF*" |
| 78 | + OR http.request.body.content LIKE "*$ACTION_*:*" |
| 79 | + ) |
| 80 | + AND ( |
| 81 | + http.request.body.content LIKE "*constructor*" |
| 82 | + OR http.request.body.content LIKE "*__proto__*" |
| 83 | + OR http.request.body.content LIKE "*prototype*" |
| 84 | + OR http.request.body.content RLIKE """\$\d+:[a-z]+:[a-z]+""" |
| 85 | + ) |
| 86 | +| KEEP * |
| 87 | +''' |
| 88 | + |
| 89 | + |
| 90 | +[[rule.threat]] |
| 91 | +framework = "MITRE ATT&CK" |
| 92 | +[[rule.threat.technique]] |
| 93 | +id = "T1190" |
| 94 | +name = "Exploit Public-Facing Application" |
| 95 | +reference = "https://attack.mitre.org/techniques/T1190/" |
| 96 | + |
| 97 | + |
| 98 | +[rule.threat.tactic] |
| 99 | +id = "TA0001" |
| 100 | +name = "Initial Access" |
| 101 | +reference = "https://attack.mitre.org/tactics/TA0001/" |
| 102 | +[[rule.threat]] |
| 103 | +framework = "MITRE ATT&CK" |
| 104 | +[[rule.threat.technique]] |
| 105 | +id = "T1059" |
| 106 | +name = "Command and Scripting Interpreter" |
| 107 | +reference = "https://attack.mitre.org/techniques/T1059/" |
| 108 | +[[rule.threat.technique.subtechnique]] |
| 109 | +id = "T1059.007" |
| 110 | +name = "JavaScript" |
| 111 | +reference = "https://attack.mitre.org/techniques/T1059/007/" |
| 112 | + |
| 113 | + |
| 114 | + |
| 115 | +[rule.threat.tactic] |
| 116 | +id = "TA0002" |
| 117 | +name = "Execution" |
| 118 | +reference = "https://attack.mitre.org/tactics/TA0002/" |
| 119 | + |
0 commit comments