Critical React Server Components Vulnerability Actively Exploited, Threatening Thousands of Websites
A critical vulnerability identified as React2Shell with CVE-2025-55182 is actively being exploited, putting thousands of websites—including numerous crypto platforms—at risk. This vulnerability affects React Server Components in versions 19.0 through 19.2.0 and includes packages used by Next.js.
The flaw permits remote code execution without authentication on affected servers, enabling attackers to inject malicious scripts. React maintainers disclosed the issue on December 3, assigning it the highest severity score. Security firm GTIG has observed widespread exploitation by financially motivated criminals and suspected state-backed groups targeting unpatched React and Next.js packages in cloud environments.
Attackers deploy malware and crypto-mining software, such as Monero miners, which quietly consume server resources and electricity. Furthermore, if a site is compromised, attackers can intercept wallet interactions or redirect transactions to attacker-controlled wallets, compromising user wallet operations despite the blockchain itself remaining secure. Merely having the vulnerable packages installed on a system can be sufficient for exploitation.
