CVE-2025-55182 — Meta React Server Components Remote Code Execution
Detects exploitation of CVE-2025-55182, a critical remote code execution vulnerability in Meta React Server Components. This vulnerability allows attackers to achieve server-side code execution by abusing the React Server Components protocol, potentially leading to full server compromise. The vulnerability is actively exploited in the wild (CISA KEV).
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Meta
- Product
- React Server Components
Timeline
- Disclosed
- December 5, 2025
CVSS
What is CVE-2025-55182 CVE-2025-55182 — Meta React Server Components Remote Code Execution?
CVE-2025-55182 — Meta React Server Components Remote Code Execution (CVE-2025-55182) maps to the Initial Access and Execution and Persistence and Impact tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2025-55182 — Meta React Server Components Remote Code Execution, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Monitor, Microsoft Sentinel. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence Impact
union DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents
| where TimeGenerated > ago(24h)
| where InitiatingProcessFileName in~ ("node", "node.exe", "next", "next.js")
| where (
(ActionType == "ProcessCreated" and ProcessCommandLine has_any ("child_process", "exec", "spawn", "execSync", "spawnSync", "eval", "Function(", "vm.runInNewContext", "__import__", "os.system"))
or (ActionType == "FileCreated" and FolderPath matches regex @"(?i)(\\tmp\\|/tmp/|\\var\\|/var/).*\.(sh|py|pl|rb|elf|exe)$")
or (ActionType == "NetworkConnectionFound" and RemotePort in (4444, 1337, 9001, 8080, 8443) and InitiatingProcessFileName in~ ("node", "node.exe"))
)
| extend RSCExploitIndicator = case(
ProcessCommandLine has_any ("child_process", "execSync", "spawnSync"), "CommandExecution",
ProcessCommandLine has_any ("eval", "Function(", "vm.runInNewContext"), "DynamicCodeEval",
FolderPath matches regex @"(?i)(/tmp/|\\tmp\\)", "SuspiciousFileWrite",
ActionType == "NetworkConnectionFound", "ReverseShellAttempt",
"Unknown"
)
| project TimeGenerated, DeviceName, ActionType, InitiatingProcessFileName, ProcessCommandLine, FolderPath, RemoteIP, RemotePort, RSCExploitIndicator
| sort by TimeGenerated descDetects Node.js processes (likely hosting React Server Components via Next.js or similar frameworks) spawning suspicious child processes, writing executables to temp directories, or making outbound connections consistent with reverse shell activity following CVE-2025-55182 exploitation.
Data Sources
Required Tables
False Positives
- Legitimate Next.js build processes that invoke child_process for bundling or SSG
- Development environments running eval-heavy test frameworks such as Jest
- Security scanning tools that probe Node.js processes for vulnerability assessment
- Automated deployment pipelines that spawn shell commands from Node.js scripts
Sigma rule & cross-platform mapping
The detection logic for CVE-2025-55182 — Meta React Server Components Remote Code Execution (CVE-2025-55182) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-55182
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-55182 RSC Protocol RCE Simulation — Command Execution via child_process
Expected signal: EDR telemetry: ProcessCreate event with parent=node, child=sh or node with args containing execSync. Audit logs: execve syscall for 'id', 'whoami', 'hostname' with parent PID matching the node process.
- Test 2CVE-2025-55182 RSC Exploitation — Reverse Shell Payload Drop to /tmp
Expected signal: File creation event in /tmp with .sh extension, owned by node process user, with executable permissions set. EDR FileCreated event with FolderPath=/tmp and FileName=rsc_test_shell.sh.
- Test 3CVE-2025-55182 RSC Post-Exploitation — Dynamic Code Evaluation Abuse
Expected signal: Process event showing node.exe/node with args containing vm.runInNewContext. If eval succeeds, subsequent execve events for 'id' binary with node as ancestor process.
- Test 4CVE-2025-55182 RSC Network C2 Beacon Simulation
Expected signal: Network connection event from node process to 127.0.0.1:4444 (substitute real C2 IP in production test). EDR NetworkConnectionFound or equivalent with InitiatingProcessFileName=node and RemotePort=4444.
Unlock Pro Content
Get the full detection package for CVE-2025-55182 including response playbook, investigation guide, and atomic red team tests.