A critical vulnerability in React Server Components is being actively exploited by multiple threat groups, putting thousands of websites — including crypto platforms — at immediate risk, with users possibly seeing all their assets drained if affected.
The bug, tracked as CVE-2025-55182 and called React2Shellallows attackers to execute code remotely on affected servers without authentication. React’s maintainers disclosed the issue on December 3 and assigned it the highest possible severity level.
Shortly after disclosure, GTIG observed widespread exploitation by both financially motivated criminals and suspected government-sponsored hacker groups targeting unpatched React and Next.js applications across cloud environments.
Loading…
What the vulnerability does
React Server Components are used to run parts of a web application directly on a server instead of in a user’s browser. The vulnerability stems from how React decodes incoming requests to these server-side functions.
Simply put, attackers can send a specially crafted web request that tricks the server into running arbitrary commands or effectively handing over control of the system to the attacker.
The bug affects React versions 19.0 through 19.2.0, including packages used by popular frameworks such as Next.js. Simply having the vulnerable packages installed is often enough to allow exploitation.
How attackers use it
The Google Threat Intelligence Group (GTIG) documented several active campaigns that used the flaw to deploy malware, backdoors, and crypto-mining software.
Some attackers began exploiting the flaw within days of its disclosure to install Monero mining software. These attacks quietly consume server resources and electricity, generating profits for attackers while degrading system performance for victims.
Crypto platforms rely heavily on modern JavaScript frameworks such as React and Next.js, which often handle wallet interactions, transaction signing, and approvals via front-end code.
If a website is compromised, attackers can inject malicious scripts that intercept wallet interactions or redirect transactions to their own wallets – even though the underlying blockchain protocol remains secure.
That makes front-end vulnerabilities particularly dangerous for users who sign transactions through browser wallets.
