a Critical weakness React server components are being actively exploited by multiple threat groups, putting thousands of websites – including crypto platforms – at immediate risk with users potentially seeing all of their assets wiped out if impacted.
The flaw was tracked and named as CVE-2025-55182 React2shellallows attackers to remotely execute code on affected servers without any authentication. React maintainers disclosed the issue on December 3 and assigned it the highest severity score.
Soon after the disclosure, GTIG witnessed widespread exploitation by economically motivated criminals and suspected state-backed hacking groups, targeting uncomplicated reactions and Next.js applications in cloud environments.
Loading…
What does risk do?
React Server components are used to run parts of a web application directly on the server rather than in a user’s browser. The vulnerability lies in how React decodes incoming requests to these server-side functions.
Simply put, attackers can send a specially crafted web request that tricks the server into running arbitrary commands, effectively handing over control of the system to the attacker.
This issue affects React versions 19.0 through 19.2.0, including packages that are used by popular frameworks such as Next.js. Simply having vulnerable packages installed is often enough to allow exploitation.
How attackers are using it
Google’s Threat Intelligence Group (GTIG) documented several active campaigns using the flaw to deploy malware, backdoors and crypto-mining software.
Some attackers began exploiting the flaw within days of its disclosure installing Monero mining software. These attacks silently consume server resources and power, generating profits for attackers while degrading system performance for victims.
Crypto platforms rely heavily on modern JavaScript frameworks such as React and Next.js, often allowing wallet interactions, transaction signing and approval via front-end code.
If a website is compromised, attackers can inject malicious scripts that block wallet interactions or redirect transactions to their own wallets — even if the underlying blockchain protocol remains secure.
This makes front-end vulnerabilities that sign transactions via browser wallets particularly dangerous.