Anomalous React Server Components Flight Data Patterns
editAnomalous React Server Components Flight Data Patterns
editThis rule detects anomalous patterns in React Server Components (RSC) Flight protocol data streams that may indicate code injection or exploitation attempts. The Flight protocol is used by React and Next.js for server-client communication, and should never contain Node.js code execution primitives like child_process, fs module calls, or eval patterns. This building block rule casts a wider net to identify suspicious payloads that warrant further investigation.
Rule type: eql
Rule indices:
- logs-network_traffic.http*
Severity: low
Risk score: 21
Runs every: 60m
Searches indices from: now-119m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
- https://react.dev/reference/rsc/server-components
- https://github.com/facebook/react/blob/main/packages/react-server/src/ReactFlightServer.js
- https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
- https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/
- https://nextjs.org/docs/app/building-your-application/rendering/server-components
- https://tonyalicea.dev/blog/understanding-react-server-components/
Tags:
- Domain: Network
- Domain: Application
- Domain: Web
- Use Case: Threat Detection
- Tactic: Initial Access
- Tactic: Execution
- Data Source: Network Packet Capture
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editnetwork where http.request.method == "POST" and http.response.status_code != 200 and
(
// Node.js child_process module
(
http.request.body.content like~ "*require('child_process')*" or
http.request.body.content like~ "*require(\"child_process\")*" or
http.request.body.content like~ "*child_process*" and http.request.body.content like~ "*.exec*"
) or
// Node.js synchronous execution methods
(
http.request.body.content like~ "*.execSync(*" or
http.request.body.content like~ "*.spawnSync(*" or
http.request.body.content like~ "*.execFileSync(*"
) or
// Node.js file system operations - suspicious in RSC context
(
http.request.body.content like~ "*require('fs')*" or
http.request.body.content like~ "*require(\"fs\")*" or
http.request.body.content like~ "*.readFileSync(*" or
http.request.body.content like~ "*.writeFileSync(*" or
http.request.body.content like~ "*.unlinkSync(*"
) or
// Process and module access patterns used in exploitation
(
http.request.body.content like~ "*process.mainModule*" or
http.request.body.content like~ "*process.binding*" or
http.request.body.content like~ "*process.dlopen*"
) or
// JavaScript code execution primitives
(
http.request.body.content like~ "*eval(*" and http.request.body.content like~ "*require*" or
http.request.body.content like~ "*Function(*" and http.request.body.content like~ "*return*"
) or
// Generic prototype pollution indicators
(
http.request.body.content like~ "*prototype*" and http.request.body.content like~ "*constructor*"
)
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Exploit Public-Facing Application
- ID: T1190
- Reference URL: https://attack.mitre.org/techniques/T1190/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: JavaScript
- ID: T1059.007
- Reference URL: https://attack.mitre.org/techniques/T1059/007/