A serious vulnerability in React Server Components is currently being exploited by various threat groups, endangering numerous websites — including cryptocurrency platforms — as users risk having all their assets drained if affected.
This flaw, identified as CVE-2025-55182 and referred to as React2Shell, enables attackers to execute code remotely on compromised servers without requiring authentication. The React maintainers revealed the issue on Dec. 3, assigning it the highest severity rating.
Following the announcement, GTIG noted extensive exploitation by financially-driven criminals and likely state-supported hacking groups, targeting unpatched React and Next.js applications across cloud platforms.
Loading…
Impact of the vulnerability
React Server Components operate by executing portions of a web application on a server instead of within a user’s browser. The vulnerability arises from how React processes incoming requests to these server-side functions.
Essentially, attackers can send a specially crafted web request that deceives the server into executing arbitrary commands, effectively giving control of the system to the attacker.
This defect impacts React versions 19.0 through 19.2.0, including packages utilized by popular frameworks like Next.js. Simply having these vulnerable packages installed is often sufficient for exploitation to occur.
Methods of exploitation
The Google Threat Intelligence Group (GTIG) has documented various active campaigns leveraging this flaw to deploy malware, backdoors, and crypto-mining software.
Some attackers began to exploit the vulnerability shortly after its announcement to install Monero mining software. These attacks quietly consume server resources and electricity, generating profits for attackers while harming system performance for victims.
Cryptocurrency platforms heavily depend on modern JavaScript frameworks like React and Next.js, frequently managing wallet interactions, transaction signing, and permit approvals through front-end code.
A compromised website allows attackers to inject harmful scripts that can interrupt wallet interactions or reroute transactions to their own wallets—even if the underlying blockchain protocol remains secure.
This makes front-end vulnerabilities particularly perilous for users who authorize transactions through browser wallets.
