Linux Suspicious React or Next.js Child Process

This analytic detects Linux processes such as sh, bash, and common Linux LOLBINs being spawned by React or Next.js application servers. In the context of CVE-2025-55182 / React2Shell / CVE-2025-66478 for Next.js, successful exploitation can lead to arbitrary JavaScript execution on the server, which in turn is commonly used to invoke Node's child_process APIs (for example child_process.execSync) to run OS-level commands. Public proof-of-concept payloads and observed in-the-wild exploit traffic show patterns where the vulnerable React Server Components handler triggers process.mainModule.require('child_process').execSync() to execute binaries such as ping, curl, or arbitrary shells on the underlying host. This detection focuses on suspicious child processes where a Next/React server process spawns an uncommon process. Such activity might be a strong indicator of exploitation of the aforementioned vulnerability.