A critical vulnerability in React server components is being actively exploited by several threat groups, putting thousands of websites – including crypto platforms – at immediate risk, with users potentially seeing all their assets depleted if hit.
The flaw, tracked as CVE-2025-55182 and dubbed React2Shellallows attackers to execute code remotely on affected servers without authentication. React officials revealed the issue on December 3 and gave it the highest possible severity score.
Shortly after the disclosure, GTIG observed widespread exploitation by financially motivated criminals and suspected state-backed hacking groups, targeting unpatched React and Next.js applications in cloud environments.
Loading…
What vulnerability does
React Server components are used to run parts of a web application directly on a server rather than in a user’s browser. The vulnerability arises from the way React decodes incoming requests to these server-side functions.
Simply put, attackers can send a specially crafted web request to trick the server into executing arbitrary commands or handing over control of the system to the attacker.
The bug affects React versions 19.0 to 19.2.0, including packages used by popular frameworks such as Next.js. Simply having the vulnerable packages installed is often enough to enable exploitation.
How attackers use it
The Google Threat Intelligence Group (GTIG) has documented several active campaigns using the flaw to deploy malware, backdoors, and crypto-mining software.
Some attackers began exploiting the flaw a few days after its disclosure to install Monero mining software. These attacks stealthily consume server resources and electricity, generating profits for the attackers while degrading system performance for the victims.
Crypto platforms rely heavily on modern JavaScript frameworks like React and Next.js, often handling wallet interactions, transaction signing, and authorization approvals through front-end code.
If a website is compromised, attackers can inject malicious scripts that intercept wallet interactions or redirect transactions to their own wallet, even if the underlying blockchain protocol remains secure.
This makes front-end vulnerabilities particularly dangerous for users who sign transactions through browser wallets.
