A security vulnerability affecting components in the React Server Components library has led to urgent warnings across the crypto industry, after attackers rushed to exploit it to drain digital wallet balances and spread malware.
The Security Alliance announced that attackers were widely exploiting the CVE-2025-55182 vulnerability and urged all website operators to immediately examine their front-end codes for any suspicious software remnants.
Furthermore, it appears that the impact of this vulnerability is not limited to Web3 protocols only, but extends to all websites that use the React library, as attackers target authorization signatures across various platforms, exposing users to direct risks when signing a transaction, as the malware intercepts digital wallet communications and transfers balances to wallet addresses owned by hackers.
Crypto Drainers using React CVE-2025-55182
We are seeing a large increase in the number of drainers uploaded to legitimate (crypto) websites due to exploitation of the recent React CVE.
All websites should examine the front-end code NOW for any suspicious assets.– Security Alliance (@_SEAL_Org) December 13, 2025
A critical vulnerability that allows remote malicious code execution
The CVE-2025-55182 vulnerability was disclosed by the official React team on December 3 and was classified as CVSS 10.0 following Lachlan Davidson’s Meta Bug Bounty report on November 29.
This vulnerability, which allows remote malicious code execution without verification, exploits React’s decryption mechanism for data sent to backend server functions, allowing attackers to create malicious HTTP requests to switch code between servers.
It should be noted that this vulnerability affected React versions 19.0, 19.1.0, 19.1.1 and 19.2.0 in the react-server-dom-webpack, react-server-dom-parcel and react-server-dom-turbopack packages.
As a result, major web frameworks including Next.js, React Router, Waku, and Expo required immediate updates after fixes became available in versions 19.0.1, 19.1.2, and 19.2.1, forcing Next.js users to update between versions 14.2.35 to 16.0.10.
Unfortunately, researchers have once again discovered a new pair of security flaws.
Researchers discovered two new vulnerabilities in React server components while attempting to exploit patches last week.
These are new issues, separate from last week’s critical CVE. The React2Shell fix remains effective for the Remote Code Execution exploit.– React (@reactjs) December 11, 2025
This prompted Vercel to automatically implement firewall rules for web applications to protect projects on its platform, although Vercel claimed that the firewall feature alone did not seem sufficient.
In his security bulletin of December 3, Vercel explains in these terms: “Immediate migration to an updated version is required“, adding that the vulnerability affects applications that process untrusted input in a way that allows remote execution of malicious code.
Several threat groups carry out coordinated attacks
Google’s threat intelligence team documented widespread attacks starting Dec. 3, in which it identified criminal groups ranging from opportunistic hackers to government-backed cyber groups. Chinese hacker groups installed different types of malware on the compromised systems, mainly targeting the cloud computing servers of Amazon Web Services and Alibaba Cloud.
These attackers used sophisticated techniques to maintain sustained access to targeted systems. Some groups installed software that created secret remote control tunnels, while other groups deployed software that constantly downloaded additional malicious tools disguised as secure files. The malware hides in system folders and restarts automatically to avoid detection.
On the other hand, several groups disguised their malware as regular software or used legitimate cloud services such as Cloudflare and GitLab to hide their communications.
New details on several state and criminal actors now exploiting React2Shell. https://t.co/4M21rqLndT
– John Hultquist (@JohnHultquist) December 13, 2025
Financially motivated criminals also joined the wave of attacks on December 5, installing cryptocurrency mining software that covertly uses the computer processing power of victims’ machines to mine Monero (Monero-XMR) balances; These groups began running these hidden mining programs constantly in the background, which increased electricity costs for victims and brought profits to the attackers, and underground hacking forums quickly filled with discussions about attack tools and cyberhacking experiences.
Historic Pattern of Supply Chain Attacks Continues
The React security vulnerability follows an attack on September 8, in which hackers hijacked the npm account of popular open source maintainer Josh Goldberg and released malicious updates to 18 commonly used software packages, including the chalk, debug, and strip-ansi packages. The number of downloads of these tools together reaches more than 2.6 billion times per week.
Researchers also discovered a malware called crypto-clipper that intercepts browser functions to replace real crypto wallet addresses with addresses belonging to hackers.
For his part, Charles Guillemet, the technical director of Ledger, describes the incident as “Expanded attack on supply chains”, advising users who do not have hardware wallets to avoid transacting on the blockchain.
The attackers allegedly gained access to victims through phishing campaigns posing as npm support, claiming that accounts would be locked out unless 2FA credentials were updated by September 10.
Hackers are stealing more crypto and moving it faster. A bleaching process lasted only 2 minutes 57 seconds. Can the industry cope?#CryptoSecurity #Web3 #Blockchain #Challengehttps://t.co/lGwutYsT6Q
– Cryptonews.com (@cryptonews) August 12, 2025
Data from Global Ledger shows that hackers stole digital assets worth more than $3 billion in 119 fraudulent operations during the first half of 2025, during which 70% of stolen balances were transferred before the breach was detected, while only 4.2% of stolen assets were recovered after the money laundering activities took seconds instead of hours.
Currently, organizations using versions of React or Next.js are advised to immediately update their systems to versions 19.0.1, 19.1.2 or 19.2.1, implement web application firewall (WAF) rules, review all dependencies, monitor traffic for wget or cURL commands executed by web servers, and look for malicious hidden directories or malicious configuration injection practices in operating systems.
The article Influential Hack of JavaScript Library Codes Endangers All Crypto Websites appeared first on Cryptonews Arabic.