React2Shell Network Security Alert

  1[metadata]
  2creation_date = "2025/12/10"
  3integration = ["panw", "cisco_ftd", "fortinet_fortigate", "suricata"]
  4maturity = "production"
  5updated_date = "2025/12/10"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rule identifies network security alerts related to CVE-2025-55182 exploitation attempts from different network security
 11integrations. CVE-2025-55182 is a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol.
 12The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads
 13that exploit prototype chain traversal to access the Function constructor.
 14"""
 15from = "now-9m"
 16index = ["logs-panw.panos*", "logs-cisco_ftd.*", "logs-fortinet_fortigate.*", "logs-suricata.*"]
 17language = "kuery"
 18license = "Elastic License v2"
 19name = "React2Shell Network Security Alert"
 20note = """## Triage and analysis
 21
 22### Investigating React2Shell Network Security Alert
 23
 24This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React's Flight protocol used by Next.js and other RSC implementations. The vulnerability stems from insecure prototype chain traversal in the Flight deserializer, allowing attackers to access `__proto__`, `constructor`, and ultimately the `Function` constructor to execute arbitrary code.
 25
 26### Possible investigation steps
 27
 28- Examine the full HTTP request body to identify the specific attack payload and command being executed.
 29- Check the response body for `E{"digest":"..."}` patterns which contain command output from successful exploitation.
 30- Identify the target application and verify if it runs vulnerable React (< 19.1.0) or Next.js (< 15.3.2) versions.
 31- Review the source IP for other reconnaissance or exploitation attempts against web applications.
 32- Check for the `Next-Action` header which is required for the exploit to work.
 33- Correlate with process execution logs to identify if child processes (e.g., shell commands) were spawned by the Node.js process.
 34
 35### False positive analysis
 36
 37- Legitimate React Server Components traffic will NOT contain `__proto__`, `constructor:constructor`, or code execution patterns.
 38- Security scanning tools like react2shell-scanner may trigger this rule during authorized penetration testing.
 39- The combination of prototype pollution patterns with RSC-specific syntax is highly indicative of malicious activity.
 40
 41### Response and remediation
 42
 43- Immediately update affected applications: React >= 19.1.0, Next.js >= 15.3.2.
 44- Block the source IP at the WAF/reverse proxy if exploitation is confirmed.
 45- If HTTP 500 or 303 responses with `digest` output were observed, assume successful code execution and investigate for compromise.
 46- Review server logs for evidence of command execution (file creation, network connections, process spawning).
 47- Implement WAF rules to block requests containing `__proto__` or `constructor:constructor` in POST bodies.
 48"""
 49references = [
 50    "https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182",
 51    "https://github.com/assetnote/react2shell-scanner",
 52    "https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/",
 53    "https://github.com/msanft/CVE-2025-55182",
 54]
 55risk_score = 73
 56rule_id = "1aefed68-eecd-47cc-9044-4a394b60061d"
 57severity = "high"
 58tags = [
 59    "Domain: Network",
 60    "Domain: Application",
 61    "Domain: Web",
 62    "Use Case: Threat Detection",
 63    "Use Case: Vulnerability",
 64    "Tactic: Initial Access",
 65    "Tactic: Execution",
 66    "Data Source: PAN-OS",
 67    "Data Source: Fortinet",
 68    "Data Source: Suricata",
 69    "Data Source: Cisco FTD",
 70    "Resources: Investigation Guide",
 71]
 72timestamp_override = "event.ingested"
 73type = "query"
 74
 75query = '''
 76(event.dataset:"cisco_ftd.log" and message:"SERVER-WEBAPP React Server Components remote code execution attempt") or
 77(event.dataset:"fortinet_fortigate.log" and message:"applications3: React.Server.Components.react-flight.Remote.Code.Execution") or
 78(event.dataset:"panw.panos" and event.action:"exploit_detected" and event.original :*React*Server*) or
 79(event.dataset:("suricata_corelight" or "suricata.eve") and rule.name:*CVE-2025-55182*)
 80'''
 81
 82
 83[[rule.threat]]
 84framework = "MITRE ATT&CK"
 85[[rule.threat.technique]]
 86id = "T1190"
 87name = "Exploit Public-Facing Application"
 88reference = "https://attack.mitre.org/techniques/T1190/"
 89
 90
 91[rule.threat.tactic]
 92id = "TA0001"
 93name = "Initial Access"
 94reference = "https://attack.mitre.org/tactics/TA0001/"
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1059"
 99name = "Command and Scripting Interpreter"
100reference = "https://attack.mitre.org/techniques/T1059/"
101[[rule.threat.technique.subtechnique]]
102id = "T1059.007"
103name = "JavaScript"
104reference = "https://attack.mitre.org/techniques/T1059/007/"
105
106
107
108[rule.threat.tactic]
109id = "TA0002"
110name = "Execution"
111reference = "https://attack.mitre.org/tactics/TA0002/"