A critical vulnerability in React Server Components is being actively exploited by multiple threat groups, putting thousands of websites, including cryptographic platforms, at immediate risk, and affected users could potentially see all their assets exposed.
This flaw is tracked and nicknamed CVE-2025-55182 React2 shellallows an attacker to remotely execute code on an affected server without authentication. React maintainers published this issue on December 3rd and assigned it the highest possible severity score.
Shortly after the disclosure, GTIG observed widespread exploitation by both financially motivated criminals and suspected state-sponsored hacker groups targeting unpatched React and Next.js applications across cloud environments.
Cryptographic drainer using React CVE-2025-55182
Through recent React CVE exploitation, we have observed a significant increase in drainers being uploaded to legitimate (encrypted) websites.
All websites should now check their front-end code for suspicious assets.
— Security Alliance (@_SEAL_Org) December 13, 2025
What happens with vulnerabilities?
React server components are used to run parts of your web application directly on the server instead of in the user’s browser. This vulnerability is due to the way React decodes incoming requests to these server-side functions.
Simply put, an attacker can send a specially crafted web request to trick a server into executing arbitrary commands, effectively handing over control of the system to the attacker.
This bug affects React versions 19.0 to 19.2.0, including packages used by popular frameworks such as Next.js. In many cases, just the installation of a vulnerable package is enough for exploitation.
How it is used by attackers
Google Threat Intelligence Group (GTIG) has documented multiple active campaigns leveraging this flaw to deploy malware, backdoors, and crypto mining software.
Some attackers began exploiting this flaw and installing Monero mining software within days of its release. These attacks covertly consume server resources and power, benefiting the attacker while reducing system performance for the victim.
Crypto platforms rely heavily on modern JavaScript frameworks, such as React and Next.js, to handle wallet interactions, transaction signing, and permission approval, often through front-end code.
Once a website is compromised, an attacker can inject malicious scripts that intercept wallet interactions or redirect transactions to their own wallets, even if the underlying blockchain protocol remains secure.
That makes front-end vulnerabilities especially dangerous for users who sign transactions through browser wallets.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
