[New Rule] BBR - Potential React.JS CVE-2025-55182 Exploit Attempt

### Summary

Critical (CVSS 10.0) remote code execution vulnerability in React Server Components (RSC) deserialization affecting:

- react-server-dom*: 19.0.0, 19.1.0, 19.1.1, 19.2.0
- Next.js: 14.3.0-canary, 15.x, and 16.x (with App Router)

### Detection

Exploitation attempts can be identified by specific patterns in HTTP POST requests targeting RSC endpoints, resulting in HTTP 500 responses with RSC error digest format.

Can rely on NPC integration for these details.

```
FROM logs-network_traffic.http*
| WHERE http.request.method == "POST"
  AND request LIKE "*multipart/form-data*"
  AND (
    http.request.body.content LIKE "*constructor*"
    OR http.request.body.content LIKE "*__proto__*"
    OR http.request.body.content RLIKE """\$\d+:[a-z]+:[a-z]+"""
  )
  AND (
    http.request.body.content LIKE "*Next-Action*"
    OR http.request.body.content LIKE "*$ACTION*"
    OR request LIKE "*Next-Action:*"
  )
```

A building block rule (BBR) will be created to monitor activity in the meantime and is susceptible to change based on further research and/or additional information about the vulnerability and actual PoC.

### References

- https://slcyber.io/research-center/high-fidelity-detection-mechanism-for-rsc-next-js-rce-cve-2025-55182-cve-2025-66478/
- https://github.com/assetnote/react2shell-scanner

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[New Rule] BBR - Potential React.JS CVE-2025-55182 Exploit Attempt #5406

Summary

Detection

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[New Rule] BBR - Potential React.JS CVE-2025-55182 Exploit Attempt #5406

Description

Summary

Detection

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions