Critical Vulnerability in React Server Components Puts Websites at Risk

A serious vulnerability in React Server Components is currently being targeted by various threat groups, raising alarms for thousands of websites, particularly in the crypto sector. If these sites are compromised, users might face the risk of losing all their assets.

This issue is referred to as CVE-2025-55182, also known as React2 shell. It allows attackers to execute commands on affected servers remotely, without needing any authentication. React’s maintainers disclosed this vulnerability on December 3rd, categorizing it as the highest severity.

Following the announcement, the Google Threat Intelligence Group (GTIG) reported a surge in attacks, particularly from financially motivated criminals and suspected state-sponsored hacker groups. Their focus has been on unpatched React and Next.js applications across various cloud environments.

Understanding Vulnerabilities

React server components enable certain parts of web applications to operate directly on the server instead of relying on user browsers. This vulnerability arises from how React processes incoming requests to these server-side functions.

In simpler terms, an attacker can manipulate a web request to deceive the server into executing arbitrary commands, thereby gaining control over the system.

This flaw impacts React versions 19.0 to 19.2.0 and also affects packages utilized by well-known frameworks like Next.js. Notably, merely installing a compromised package can make a system susceptible to exploitation.

Methods of Attack

GTIG has observed various active campaigns that exploit this flaw to distribute malware, backdoors, and even software for mining cryptocurrency.

Some attackers swiftly began using this vulnerability for installing Monero mining applications shortly after it was made public. These covert attacks can significantly drain server resources, benefiting the hackers while impairing the system’s performance for users.

Platforms dealing with cryptocurrencies often depend on modern JavaScript frameworks like React and Next.js to manage wallet interactions, sign transactions, and approve permissions, mostly through front-end code.

Once a website is compromised, attackers can inject harmful scripts that intercept wallet interactions or divert transactions to their wallets. This situation can arise even when the underlying blockchain remains secure, making front-end vulnerabilities particularly perilous for users who rely on browser wallets for transaction signing.