Cybersecurity experts are warning of a growing wave of crypto wallet drainers being silently injected into legitimate websites through a newly disclosed vulnerability in the popular JavaScript library React.
According to the nonprofit Security Alliance (SEAL), attackers are actively exploiting a critical flaw in React to plant malicious code that can drain users’ crypto wallets — often without the website owners realizing anything is wrong.
React Vulnerability Enables Remote Code Execution
The issue, tracked as CVE-2025-55182, was disclosed on Dec. 3 by the React team after being identified by white-hat researcher Lachlan Davidson. The vulnerability allows unauthenticated remote code execution, meaning attackers can inject and run arbitrary code on affected websites.
React is one of the most widely used front-end frameworks in the world, powering millions of web applications — including many crypto platforms, DeFi apps, and NFT sites.
SEAL says malicious actors are now leveraging this flaw to inject wallet-draining scripts into otherwise legitimate crypto websites.
“We are observing a big uptick in drainers uploaded to legitimate crypto websites through exploitation of the recent React CVE,” the SEAL team said.
“All websites should review front-end code for any suspicious assets NOW.”
Not Just Web3: All Websites Are at Risk
While crypto platforms are a primary target due to the financial upside, SEAL emphasized that this is not limited to Web3 projects.
Any website running vulnerable React server components could be compromised, exposing users to malicious pop-ups or signature requests designed to trick them into approving transactions that drain their wallets.
Users are urged to exercise extreme caution when signing any permit or wallet approval, even on sites they trust.
Warning Signs: Phishing Flags and Obfuscated Code
SEAL noted that some affected websites may suddenly receive phishing warnings from browsers or wallet providers without a clear reason. This can be a signal that hidden drainer code has been injected.
Website operators are advised to:
Scan servers for CVE-2025-55182
Check whether front-end code is loading assets from unknown domains
Look for obfuscated JavaScript in scripts
Verify that wallet signature requests show the correct recipient address
“If your project is getting blocked, that may be the reason,” SEAL said, urging developers to review their code before appealing phishing warnings.
React Releases Fix, Urges Immediate Upgrades
The React team has already released a patch and strongly recommends that developers upgrade immediately if they are using any of the following packages:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
React clarified that applications not using React Server Components or server-side React code are not affected by this vulnerability, according to Cointelegraph.
