DEV Community

Dolan
Dolan

Posted on

Why You Shouldn’t Rely Solely on Detectors

#cybersecurity #nextjs #react #wazuh

Recently, vulnerabilities like CVE-2025-55182 and CVE-2025-66478 have raised alarms for Next.js and React developers. If you're using Wazuh for vulnerability detection, there’s an important limitation you need to understand: project-local installs of npm packages might not be detected by default.

Why Wazuh Might Miss Vulnerable Packages

Wazuh’s vulnerability detection relies heavily on the Syscollector module, which scans installed software. Here’s the catch:

  • Global npm packages (npm install -g) are detected automatically. Standard paths include: 
/usr/lib/node_modules
/usr/local/lib/node_modules
Enter fullscreen mode Exit fullscreen mode 
C:\Program Files\nodejs\node_modules
C:\Users\USER\AppData\Roaming\npm\node_modules
Enter fullscreen mode Exit fullscreen mode
  • Local project installs (normal node_modules inside your project) are NOT scanned by default: 
/var/www/project/node_modules
/home/user/app/node_modules
/app/node_modules
Enter fullscreen mode Exit fullscreen mode

According to Wazuh documentation, support for scanning NPM and PyPI packages is limited to default installation paths. The developers have confirmed that scanning arbitrary project folders is not planned.

This means that if your Next.js or React project has a vulnerable package installed locally, Wazuh may miss it entirely unless you take extra steps.

What You Can Do

Even if Syscollector won’t detect project-local packages, you can leverage File Integrity Monitoring (FIM) and custom log collection to track changes and spot potential risks:

1. Monitor Your Project Folder with FIM

Add a custom path in /var/ossec/etc/ossec.conf to monitor your project directory:

<syscheck>
  <directories realtime="yes">/var/www/myapp</directories>
</syscheck>
Enter fullscreen mode Exit fullscreen mode

This allows Wazuh to track:

  • File creations, deletions, and modifications
  • Changes in node_modules/ or config files
  • Suspicious additions or tampering

More details in the Wazuh FIM guide

2. Collect Logs from Build or Deployment

You can log your npm install and npm audit outputs and let Wazuh collect them:

<localfile>
  <location>/var/www/myapp/install_deps.log</location>
  <log_format>syslog</log_format>
</localfile>

<localfile>
  <location>/var/www/myapp/build.log</location>
  <log_format>syslog</log_format>
</localfile>
Enter fullscreen mode Exit fullscreen mode
  • Run npm install > install_deps.log in your build pipeline
  • Optionally, run npm audit --json > audit.log and collect it

Then, create custom decoders and rules in Wazuh to alert you when known vulnerable packages are installed or modified.

Key Takeaways

  • Don’t rely solely on vulnerability detectors like Wazuh Syscollector for project-local npm installs.
  • Use FIM and log collection to monitor your codebase and dependencies.
  • Regularly run npm audit or third-party scanners like Snyk, etc. as part of your CI/CD pipeline.
  • Always combine automated detection with good monitoring practices for robust security coverage.

For more details on Wazuh CVE detection for Next.js, check out

By combining these approaches, you ensure that even project-local dependencies don’t slip under the radar, keeping your Next.js and React apps safer.

Posted with ❤️ by 0xdolan | GitHub

Top comments (0)