Detect CVE-2025-55182 — Meta React Server Components Remote Code Execution in Google Chronicle
Detects exploitation of CVE-2025-55182, a critical remote code execution vulnerability in Meta React Server Components. This vulnerability allows attackers to achieve server-side code execution by abusing the React Server Components protocol, potentially leading to full server compromise. The vulnerability is actively exploited in the wild (CISA KEV).
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence Impact
YARA-L Detection Query
rule cve_2025_55182_react_rce {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2025-55182 React Server Components RCE exploitation"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-55182"
yara_version = "YL2.0"
rule_version = "1.0"
events:
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.principal.process.file.full_path = /(?i)(node|next)(\.(exe|js))?$/
(
$e1.target.process.command_line = /(?i)(child_process|execSync|spawnSync|eval|Function\(|vm\.runInNewContext)/
or $e1.target.file.full_path = /(?i)(\/tmp\/|\/var\/tmp\/|\\Temp\\).*\.(sh|py|elf|exe|pl)$/
)
$e1.principal.hostname = $host
$e2.metadata.event_type = "NETWORK_CONNECTION"
$e2.principal.process.file.full_path = /(?i)(node|next)(\.(exe|js))?$/
$e2.target.port in [4444, 1337, 9001, 8080, 8443]
$e2.principal.hostname = $host
match:
$host over 5m
condition:
$e1 or $e2
}Chronicle YARA-L rule that fires when Node.js/Next.js processes exhibit CVE-2025-55182 exploitation patterns: dangerous command-line arguments, temp directory file writes, or outbound connections to common reverse shell ports.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate CI build agents running on the same hosts as Node.js application servers
- Container sidecars that use Node.js to coordinate health checks involving shell commands
- Next.js image optimization workers that invoke native binaries via child_process
- Log aggregation agents implemented in Node.js that write temp files during rotation
Other platforms for CVE-2025-55182
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-55182 RSC Protocol RCE Simulation — Command Execution via child_process
Expected signal: EDR telemetry: ProcessCreate event with parent=node, child=sh or node with args containing execSync. Audit logs: execve syscall for 'id', 'whoami', 'hostname' with parent PID matching the node process.
- Test 2CVE-2025-55182 RSC Exploitation — Reverse Shell Payload Drop to /tmp
Expected signal: File creation event in /tmp with .sh extension, owned by node process user, with executable permissions set. EDR FileCreated event with FolderPath=/tmp and FileName=rsc_test_shell.sh.
- Test 3CVE-2025-55182 RSC Post-Exploitation — Dynamic Code Evaluation Abuse
Expected signal: Process event showing node.exe/node with args containing vm.runInNewContext. If eval succeeds, subsequent execve events for 'id' binary with node as ancestor process.
- Test 4CVE-2025-55182 RSC Network C2 Beacon Simulation
Expected signal: Network connection event from node process to 127.0.0.1:4444 (substitute real C2 IP in production test). EDR NetworkConnectionFound or equivalent with InitiatingProcessFileName=node and RemotePort=4444.
Unlock Pro Content
Get the full detection package for CVE-2025-55182 including response playbook, investigation guide, and atomic red team tests.