← Library
splApache-2.0from splunk/security_content

Linux Suspicious React or Next.js Child Process

This analytic detects Linux processes such as sh, bash, and common Linux LOLBINs being spawned by React or Next.js application servers. In the context of CVE-2025-55182 / React2Shell / CVE-2025-66478 for Next.js, successful exploitation can lead to arbitrary JavaScript execution on the server, which in turn is commonly used to invoke Node's child_process APIs (for example child_process.execSync) to run OS-level commands. Public proof-of-concept payloads and observed in-the-wild exploit traffic show patterns where the vulnerable React Server Components handler triggers process.mainModule.require('child_process').execSync() to execute binaries such as ping, curl, or arbitrary shells on the underlying host. This detection focuses on suspicious child processes where a Next/React server process spawns an uncommon process. Such activity might be a strong indicator of exploitation of the aforementioned vulnerability.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_suspicious_react_or_next_js_child_process.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
  from datamodel=Endpoint.Processes
  where
    Processes.parent_process_name = "node"
    Processes.parent_process IN (
      "*--experimental-https*",
      "*--experimental-next-config-strip-types*",
      "*/node_modules/next*",
      "*next dev*",
      "*next start*",
      "*node_modules/.bin*",
      "*react-scripts start*",
      "*start-server.js*"
    )
    AND (
      Processes.process_name IN (
        "awk",
        "gawk",
        "ifconfig",
        "lua",
        "nc",
        "ncat",
        "netcat",
        "openssl",
        "perl",
        "php",
        "python",
        "python2",
        "python3",
        "ruby",
        "socat",
        "telnet"
      )
      OR (
        Processes.process_name IN ("curl", "wget")
        Processes.process = "*|*"
      )
      OR (
        Processes.process_name IN (
          "bash",
          "dash",
          "sh"
        )
        NOT Processes.process = "*-c*"
      )
      OR (
        Processes.process_name IN (
          "bash",
          "dash",
          "ksh",
          "sh",
          "zsh"
        )
        Processes.process IN (
          "*/dev/tcp/*",
          "*/dev/udp/*",
          "*0>&1*",
          "*curl*",
          "*exec *>&*",
          "*fsockopen*",
          "*ifconfig*",
          "*mkfifo*",
          "*nc *",
          "*ncat*",
          "*netcat*",
          "*proc_open*",
          "*s_client*",
          "*socat*",
          "*socket*",
          "*subprocess*",
          "*TCPSocket*",
          "*wget*"
        )
      )
    )

by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process
   Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name Processes.process_path
   Processes.user Processes.user_id Processes.vendor_product

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_suspicious_react_or_next_js_child_process_filter`