FINRA Cybersecurity Alert – React2Shell

Nation-State Threat Actors Targeting Web Applications Built With React Server Components

FINRA firms should be aware of a vulnerability in web applications built with React Server Components (RSC), which could allow unauthorized access to internal systems. Nation-state threat actors are purportedly exploiting this vulnerability to gain access to systems and sensitive files on servers built using RSC. The vulnerability has the potential to allow threat actors to take control of a firm’s entire system if exploited.

FINRA recommends sharing this Cyber Alert with appropriate information technology and information security personnel to identify whether your firm is impacted and take immediate steps to protect your environments.

BACKGROUND

Vulnerability Discovery and Disclosure Timeline

On Dec. 3, 2025, the React team disclosed a critical vulnerability in RSC known as “React2Shell,” where applications built with RSC process data without first checking to ensure it is safe to do so. This could allow a threat actor to deliver data to the system that, once processed, executes malicious programs, allows unauthorized access, or even causes a denial of service (DoS), essentially crashing the program, rendering it unusable. In cybersecurity circles, this is commonly known as “unsafe deserialization of attacker-controlled payloads.” The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has labeled this specific vulnerability:

• CVE-2025-55182 (CVSS 10/10, EPSS 77.8%, In KEV: Yes (12/4/2025))¹ – An upstream vulnerability that results from unsafe deserialization of attacker-controlled RSC payloads, enabling crafted requests to trigger unintended server-side function calls. CVE-2025-66478 is a related downstream identifier that covers the specific impact on Next.js applications that use the App Router with RSC.

Multiple China-nexus threat actors, including Earth Lamia,² Jackpot Panda³ and several previously untracked groups, began actively exploiting this vulnerability within hours of React disclosing it. Threat intelligence has since confirmed a high volume of exploit attempts, where these groups have infiltrated vulnerable systems and injected code that searches for valuable data and saves files in temporary directories for future attacks as well as attempts to take control of operating systems and steal sensitive system files.

Technical Details & Indicators of Compromise (IOCs)

FINRA recommends sharing the following details and IOCs with your information technology and information security personnel to identify whether your firm is impacted.

• Attack indicators include requests containing "next-action" or "rsc-action-id" headers, payload patterns such as "$@" or "status":"resolved_model", and unauthorized access attempts to files like /etc/passwd.
• Only Next.js App Router-based deployments are affected; Next.js Pages Router and Edge Runtime deployments remain unaffected.
• Vulnerable RSC packages are also used by React router's unstable RSC APIs, Waku, Redwood SDK, @parcel/rsc, @vitejs/plugin-rsc and other frameworks, with any stack that embeds vulnerable RSC packages and exposes Server Function endpoints potentially affected.

RECOMMENDED ACTIONS
FINRA encourages member firms that use React Server Components, including Next.js with App Router or other RSC-enabled frameworks, to share the following information with their cybersecurity and technology management personnel to take immediate steps to protect their environments. Firms should consult React’s website for specific instructions on updating vulnerable systems,⁴ and consider the following additional actions:

1. 1. Identify and Inventory Affected Systems 
   Conduct an inventory of all web applications, development platforms, and deployment infrastructure to identify systems using React Server Components, Next.js with App Router, React Router's RSC APIs, Waku, Redwood SDK, @parcel/rsc, @vitejs/plugin-rsc, or other RSC-based frameworks. For each system identified, determine the current version of React, Next.js, and related RSC packages deployed to assess exposure.⁵
    
2. 2. Deploy Monitoring and Detection Rules
   Implement monitoring to alert on high-volume or malformed RSC requests, repeated deserialization attempts or errors, attempts to invoke server functions unexpectedly, HTTP headers such as 'next-action' or 'rsc-action-id', payload patterns such as '$@' or '"status":"resolved_model"', requests with unexpected user agent strings (including "python-requests" or "python/3.11 aiohttp"), attempts to read sensitive system files such as /etc/passwd, unexpected file writes in temporary directories, and patterns consistent with proof-of-concept or manual exploitation.⁶
    
3. 3. Investigate for Manual Exploitation Traces
   Conduct forensic review of application logs, API access logs, and system activity logs for evidence of sequential exploit retries, incremental payload modifications, reconnaissance commands such as 'whoami' or 'id', persistent probing behavior or attempts to establish remote access, and unexpected code execution or privilege escalation events. Because threat actors have demonstrated hands-on keyboard activity, pay particular attention to patterns that suggest human directed exploitation rather than purely automated scanning.⁷
    
4. 4. Review Logs and Block Malicious IP Addresses
   Conduct a comprehensive review of web server logs, application logs, WAF logs, and network traffic logs from Dec. 3, 2025, forward for indicators of exploitation attempts or successful compromise, including HTTP headers such as 'next-action' and 'rsc-action-id', payload patterns such as '$@' or '"status":"resolved_model"', requests from suspicious geographic origins or VPN/proxy services, and attempts to read /etc/passwd or other sensitive configuration files. Additionally, review logs for connections from known threat actor IP addresses (206.237.3.150, 45.77.33.136, and 183.6.80.214) associated with Earth Lamia, Jackpot Panda, and unattributed clusters, and consider implementing blocking rules where appropriate.⁸

FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:

• FINRA using the Regulatory Tip Form found on FINRA.org;
• the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790; and
• the FBI using its Internet Crime Complaint Center or by calling 1-800-CALLFBI (1-800-225-5324). 

Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870). 

Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU). 

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.  

¹Commonly used cybersecurity definitions and resources: (1) Common Vulnerabilities and Exposures (CVE) – A NIST dictionary of publicly known cybersecurity vulnerabilities, each assigned a unique, standardized identifier (CVE ID) to facilitate sharing and communication about the specific security flaw; (2) Common Vulnerability Scoring System (CVSS) – Measures the relative severity of software flaw vulnerabilities ranging from 0 to 10, with 10 being the most severe; (3) Exploit Prediction Scoring System (EPSS) – Provides probabilities that a vulnerability will be observed to be exploited “in the wild” within the next 30 days (e.g., a score of 0.5 indicates a 50 percent chance that firms using the tool will be exploited through it in the next 30 days); and (4) Known Exploited Vulnerabilities (KEV) – CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild (organizations often use the KEV catalog as an input to their vulnerability management prioritization framework).
²Earth Lamia, a Chinese state-sponsored threat actor active since 2023, has shifted its targeting focus from the financial sector to logistics, retail, IT, education, and government organizations across Brazil, India, and Southeast Asia by early 2025. Their operations demonstrate sophisticated cyber-espionage capabilities with methodical exploitation of known vulnerabilities for initial access.
³Jackpot Panda, active since at least 2020, primarily targets financial services, logistics, retail, IT companies, universities, and government organizations across Latin America, the Middle East, and Southeast Asia. The threat actor exploits trusted third-party relationships to deploy malicious implants like XShade and CplRAT through supply chain compromises.
⁴If immediate patching is not possible, limit internet exposure of RSC endpoints, require authentication for sensitive endpoints, temporarily segment affected services, and apply rate limiting with anomaly detection around RSC endpoints to reduce exposure to high-volume automated exploitation.
⁵This recommendation follows one category of the IDENTIFY (ID) core function of NIST's Cybersecurity Framework (CSF) 2.0: "ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained."
⁶This recommendation follows one category of the DETECT (DE) core function of NIST's Cybersecurity Framework (CSF) 2.0: "DE.AE-06: Information on adverse events is provided to authorized staff and tools."
⁷This recommendation follows one category of the DETECT (DE) core function of NIST's Cybersecurity Framework (CSF) 2.0: "DE.AE-02: Potentially adverse events are analyzed to better understand associated activities."
⁸This recommendation follows one category of the DETECT (DE) core function of NIST's Cybersecurity Framework (CSF) 2.0: "DE.CM-01: Networks and network services are monitored to find potentially adverse events."