This detection rule, authored by Elastic, is designed to identify suspicious child process activity originating from React server applications, which may indicate successful exploitation of critical vulnerabilities identified as CVE-2025-55182 and CVE-2025-66478. These vulnerabilities allow attackers to execute arbitrary code through insecure deserialization of React Server Components (RSC) Flight payloads, primarily affecting servers running specific versions of React (19.x or newer) and Next.js (14.3.0-canary+ and later). The rule employs EQL (Event Query Language) to monitor the creation of suspicious processes that are typically spawned by Node.js applications using React or Next.js. The key behaviors flagged include the execution of common shell and system commands, suggesting that an attacker may have gained initial access through deserialization attacks. The rule also outlines a detailed investigation guide, including steps to verify the legitimacy of detected processes, analysis of web server access logs for suspicious payloads, and identification of post-exploitation artifacts. Furthermore, the actions for response and remediation include isolating the affected host, removing persistence mechanisms, rotating credentials, and ensuring that the software is patched to mitigate future vulnerabilities. This proactive rule is classified as high risk and is essential for organizations using React and Next.js frameworks to detect potential breaches early, ultimately enhancing their security posture against exploitation of these vulnerabilities.