A critical security vulnerability has been discovered in React Server Components, known as "React2Shell", which is currently being widely exploited, putting thousands of websites at risk, including cryptocurrency platforms.
This vulnerability, registered under CVE-2025-55182, allows attackers to execute code remotely without authentication. It affects React versions from 19.0 to 19.2.0, as well as packages used in frameworks like Next.js.
How does the vulnerability work?
The issue arises from the way React decodes incoming requests to server functions. Attackers can send specially crafted web requests to deceive the server and execute arbitrary commands, giving them full control over the server. Simply installing the vulnerable packages is enough to make the system susceptible to exploitation.
Impact:
Attackers, including financially motivated criminal groups and state-sponsored groups, exploit this vulnerability to deploy malware, backdoors, and Monero mining software, consuming server resources and generating profits for the attackers.
In cryptocurrency platforms, malicious scripts can be injected into compromised sites to intercept wallet interactions, redirect transactions, or steal tokens entirely, even if blockchain protocols are secure.
Recommended actions:
The vulnerability was officially disclosed on December 3, 2025, and is classified as critical. It is advised to update React to the patched versions immediately. Website owners should also review the front-end code for any suspicious assets.
The Security Alliance warned on December 13, 2025, of a significant increase in token thefts through this vulnerability, urging all websites to conduct an immediate review.
