React2Shell (CVE-2025-55182) Exploitation Attempt

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

React2Shell (CVE-2025-55182) Exploitation Attempt

This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React Server Components (RSC) Flight protocol. The vulnerability allows attackers to execute arbitrary code on the server by sending specially crafted deserialization payloads that exploit prototype chain traversal to access the Function constructor. This rule focuses on high-fidelity indicators of active exploitation including successful command execution responses and prototype pollution attack patterns.

Rule type: eql

Rule indices:

logs-network_traffic.http*

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Network
Domain: Application
Domain: Web
Use Case: Threat Detection
Use Case: Vulnerability
Tactic: Initial Access
Tactic: Execution
Data Source: Network Packet Capture
Resources: Investigation Guide

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating React2Shell (CVE-2025-55182) Exploitation Attempt

This rule detects exploitation attempts targeting CVE-2025-55182, a critical remote code execution vulnerability in React’s Flight protocol used by Next.js and other RSC implementations. The vulnerability stems from insecure prototype chain traversal in the Flight deserializer, allowing attackers to access __proto__, constructor, and ultimately the Function constructor to execute arbitrary code.

Possible investigation steps

Examine the full HTTP request body to identify the specific attack payload and command being executed.
Check the response body for E{"digest":"..."} patterns which contain command output from successful exploitation.
Identify the target application and verify if it runs vulnerable React (< 19.1.0) or Next.js (< 15.3.2) versions.
Review the source IP for other reconnaissance or exploitation attempts against web applications.
Check for the Next-Action header which is required for the exploit to work.
Correlate with process execution logs to identify if child processes (e.g., shell commands) were spawned by the Node.js process.

False positive analysis

Legitimate React Server Components traffic will NOT contain __proto__, constructor:constructor, or code execution patterns.
Security scanning tools like react2shell-scanner may trigger this rule during authorized penetration testing.
The combination of prototype pollution patterns with RSC-specific syntax is highly indicative of malicious activity.

Response and remediation

Immediately update affected applications: React >= 19.1.0, Next.js >= 15.3.2.
Block the source IP at the WAF/reverse proxy if exploitation is confirmed.
If HTTP 500 or 303 responses with digest output were observed, assume successful code execution and investigate for compromise.
Review server logs for evidence of command execution (file creation, network connections, process spawning).
Implement WAF rules to block requests containing __proto__ or constructor:constructor in POST bodies.

Rule query

edit

network where http.request.method == "POST" and
(
    // Successful CVE-2025-55182 RCE - command output in digest
    (
        http.response.status_code in (500, 303) and
        http.response.body.content like~ "*E{\"digest\"*" and
        http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*"""
    ) or
    // Prototype pollution attempts in RSC Flight data (never legitimate)
    (
        http.request.body.content regex~ """.*\$[0-9]+:[a-zA-Z_0-9]+:[a-zA-Z_0-9]+.*""" and
        (
            http.request.body.content like~ "*__proto__*" or
            http.request.body.content like~ "*prototype*"
        )
    )
)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Exploit Public-Facing Application
- ID: T1190
- Reference URL: https://attack.mitre.org/techniques/T1190/
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
Sub-technique:
- Name: JavaScript
- ID: T1059.007
- Reference URL: https://attack.mitre.org/techniques/T1059/007/

« Rare User Logon Registry Persistence via AppCert DLL »