1name: crowdsecurity/vpatch-CVE-2025-55182
2description: 'Detects React RCE via crafted form action parameters exploiting server action handlers'
3# This rule is based on the information released by AWS here: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-030/
4# We don't have a working exploit at the moment, so it may or may not work as expected.
5rules:
6  - and:
7      - zones:
8        - METHOD
9        match:
10          type: equals
11          value: POST
12      - zones:
13        - HEADERS_NAMES
14        transform:
15          - lowercase
16        match:
17          type: regex
18          value: '(next-action)|(rsc-action-id)'
19      - zones:
20          - BODY_ARGS
21        transform:
22          - urldecode
23          - lowercase
24        match:
25          type: contains
26          value: 'status'  
27      - zones:
28          - BODY_ARGS
29        transform:
30          - urldecode
31          - lowercase
32        match:
33          type: contains
34          value: 'resolved_model'
35      - zones:
36          - BODY_ARGS
37        transform:
38          - urldecode
39          - lowercase
40        match:
41          type: contains
42          value: '$@'
43
44labels:
45  type: exploit
46  service: http
47  confidence: 3
48  spoofable: 0
49  behavior: 'http:exploit'
50  label: 'React - RCE'
51  classification:
52    - cve.CVE-2025-55182
53    - attack.T1190
54    - cwe.CWE-94
55