|
| 1 | +[metadata] |
| 2 | +creation_date = "2025/12/04" |
| 3 | +integration = ["network_traffic"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/12/04" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic"] |
| 9 | +description = """ |
| 10 | +This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution |
| 11 | +vulnerability in React Server Components (RSC). The vulnerability allows attackers to execute arbitrary code on the |
| 12 | +server by sending specially crafted RSC deserialization payloads. |
| 13 | +""" |
| 14 | +from = "now-9m" |
| 15 | +index = ["logs-network_traffic.http*"] |
| 16 | +language = "eql" |
| 17 | +license = "Elastic License v2" |
| 18 | +name = "Potential React Server Components RCE Attempt (CVE-2025-55182)" |
| 19 | +note = """## Triage and analysis |
| 20 | +
|
| 21 | +### Investigating Potential React Server Components RCE Attempt (CVE-2025-55182) |
| 22 | +
|
| 23 | +This rule detects potential exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC). |
| 24 | +
|
| 25 | +### Possible investigation steps |
| 26 | +
|
| 27 | +- Examine the full HTTP request body to identify the specific attack payload variant. |
| 28 | +- Identify the target application and verify if it runs vulnerable React or Next.js versions. |
| 29 | +- Review the source IP for other reconnaissance or exploitation attempts against web applications. |
| 30 | +- Check if any proof-of-exploitation files were created on the server (common RCE validation technique). |
| 31 | +- Correlate with process execution logs to identify if child processes were spawned by the web server. |
| 32 | +
|
| 33 | +### False positive analysis |
| 34 | +
|
| 35 | +- Legitimate React Server Components traffic may contain specific patterns but should NOT contain constructor strings, or malformed references as property paths. |
| 36 | +- Developer testing or security scanning tools may trigger this rule during authorized penetration testing. |
| 37 | +- The combination of constructor or prototype strings with specific patterns is highly indicative of malicious activity. |
| 38 | +- Testing environments from tools such as [react2shell-scanner](https://github.com/assetnote/react2shell-scanner). |
| 39 | +
|
| 40 | +### Response and remediation |
| 41 | +
|
| 42 | +- Immediately update affected applications to patched versions |
| 43 | +- Block the source IP at the WAF/reverse proxy if exploitation is confirmed. |
| 44 | +- If HTTP 500 or 303 responses were observed, assume the vulnerable code path was triggered and investigate for potential compromise. |
| 45 | +- Review application logs for any evidence of successful code execution. |
| 46 | +- Consider implementing input validation for RSC payloads at the application layer. |
| 47 | +""" |
| 48 | +references = [ |
| 49 | + "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182", |
| 50 | + "https://github.com/assetnote/react2shell-scanner", |
| 51 | + "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/", |
| 52 | + "https://github.com/msanft/CVE-2025-55182" |
| 53 | +] |
| 54 | +risk_score = 47 |
| 55 | +rule_id = "a8f7e9d4-3b2c-4d5e-8f1a-6c9b0e2d4a7f" |
| 56 | +severity = "medium" |
| 57 | +tags = [ |
| 58 | + "Domain: Network", |
| 59 | + "Domain: Application", |
| 60 | + "Domain: Web", |
| 61 | + "Use Case: Threat Detection", |
| 62 | + "Tactic: Initial Access", |
| 63 | + "Tactic: Execution", |
| 64 | + "Data Source: Network Packet Capture", |
| 65 | + "Resources: Investigation Guide", |
| 66 | +] |
| 67 | +timestamp_override = "event.ingested" |
| 68 | +type = "eql" |
| 69 | + |
| 70 | +query = ''' |
| 71 | +network where http.request.method == "POST" and |
| 72 | +( |
| 73 | + // Specific CVE-2025-55182 RCE indicators |
| 74 | + ( |
| 75 | + http.response.status_code in (500, 303) and |
| 76 | + http.response.body.content like~ "*E{\"digest\"*" and |
| 77 | + http.request.body.content like~ "*.execSync(*" |
| 78 | + ) or |
| 79 | + // Prototype pollution patterns in Flight protocol |
| 80 | + ( |
| 81 | + http.request.body.content like~ "*__proto__*" or |
| 82 | + http.request.body.content like~ "*constructor:constructor*" or |
| 83 | + http.request.body.content regex~ """\$\d+:[_a-zA-Z][_a-zA-Z0-9]*:[_a-zA-Z][_a-zA-Z0-9]*""" |
| 84 | + ) or |
| 85 | + // Node.js code execution attempts |
| 86 | + ( |
| 87 | + http.request.body.content like~ "*require('child_process')*" or |
| 88 | + http.request.body.content like~ "*require(\"child_process\")*" or |
| 89 | + http.request.body.content like~ "*process.mainModule*" or |
| 90 | + http.request.body.content like~ "*.exec(*" or |
| 91 | + http.request.body.content like~ "*.spawn(*" |
| 92 | + ) |
| 93 | +) |
| 94 | +''' |
| 95 | + |
| 96 | + |
| 97 | +[[rule.threat]] |
| 98 | +framework = "MITRE ATT&CK" |
| 99 | +[[rule.threat.technique]] |
| 100 | +id = "T1190" |
| 101 | +name = "Exploit Public-Facing Application" |
| 102 | +reference = "https://attack.mitre.org/techniques/T1190/" |
| 103 | + |
| 104 | + |
| 105 | +[rule.threat.tactic] |
| 106 | +id = "TA0001" |
| 107 | +name = "Initial Access" |
| 108 | +reference = "https://attack.mitre.org/tactics/TA0001/" |
| 109 | +[[rule.threat]] |
| 110 | +framework = "MITRE ATT&CK" |
| 111 | +[[rule.threat.technique]] |
| 112 | +id = "T1059" |
| 113 | +name = "Command and Scripting Interpreter" |
| 114 | +reference = "https://attack.mitre.org/techniques/T1059/" |
| 115 | +[[rule.threat.technique.subtechnique]] |
| 116 | +id = "T1059.007" |
| 117 | +name = "JavaScript" |
| 118 | +reference = "https://attack.mitre.org/techniques/T1059/007/" |
| 119 | + |
| 120 | + |
| 121 | + |
| 122 | +[rule.threat.tactic] |
| 123 | +id = "TA0002" |
| 124 | +name = "Execution" |
| 125 | +reference = "https://attack.mitre.org/tactics/TA0002/" |
| 126 | + |
0 commit comments