Multiple threat groups are actively exploiting a critical vulnerability in React server components, putting thousands of websites, including crypto platforms, at immediate risk and users possibly seeing all their assets drained if they are affected.
The flaw, tracked as CVE-2025-55182 and dubbed react2shellallows attackers to remotely execute code on affected servers without authentication. React maintainers disclosed the issue on December 3 and assigned it the highest possible severity score.
Shortly after the disclosure, GTIG observed widespread exploitation by both financially motivated criminals and suspected state-backed hacking groups, targeting unpatched React and Next.js applications in cloud environments.
Charging…
What does vulnerability do?
React Server components are used to run parts of a web application directly on a server instead of in a user’s browser. The vulnerability arises from how React decodes incoming requests to these server-side functions.
In simple terms, attackers can send a specially crafted web request that tricks the server into executing arbitrary commands or effectively handing control of the system to the attacker.
The bug affects React versions 19.0 to 19.2.0, including packages used by popular frameworks like Next.js. Simply having the vulnerable packages installed is usually enough to allow exploitation.
How attackers use it
The Google Threat Intelligence Group (GTIG) documented multiple active campaigns using the flaw to deploy malware, backdoors, and cryptomining software.
Some attackers began exploiting the flaw within days of its disclosure to install Monero mining software. These attacks silently consume server resources and electricity, generating profits for attackers and degrading system performance for victims.
Crypto platforms rely heavily on modern JavaScript frameworks like React and Next.js, and often handle wallet interactions, transaction signing, and permission approvals through front-end code.
If a website is compromised, attackers can inject malicious scripts that intercept wallet interactions or redirect transactions to their own wallets, even if the underlying blockchain protocol remains secure.
That makes front-end vulnerabilities particularly dangerous for users who sign transactions through browser wallets.
