Major Vulnerability in React Server Components Exposes Crypto Websites to Extensive Attacks
On December 3, 2025, a critical unauthenticated remote code execution vulnerability, CVE-2025-55182, was disclosed affecting React Server Components. This flaw, rated CVSS 10.0, impacts React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 across react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack packages.
Patches were promptly released for React versions 19.0.1, 19.1.2, and 19.2.1, with required Next.js upgrades spanning release lines 14.2.35 to 16.0.10. Despite the availability of these patches, reliance on web application firewalls (WAFs) alone is insufficient to mitigate the risk.
Beginning in early December 2025, security groups observed widespread exploit activity targeting cryptocurrency websites. Threat actors ranged from opportunistic groups to government-backed entities, leveraging CVE-2025-55182 to intercept wallet communications, redirect funds, and deploy crypto-mining malware that uses Monero to monetize compromised sites. Attackers often disguise their traffic behind legitimate cloud services.
The Security Alliance issued warnings on December 13, 2025, urging immediate front-end code reviews to detect suspicious scripts and assets. They recommended comprehensive defenses including patching vulnerable React and Next.js versions, deploying WAFs, auditing dependencies, monitoring for wget or curl commands executed by web servers, searching for hidden directories, and detecting malicious shell configuration injections.
In a related incident from September 2025, a supply-chain attack linked to assets controlled by Josh Goldberg compromised 18 npm packages including chalk, debug, and strip-ansi. The Ledger described this as a large-scale supply chain breach wherein attackers used phishing to harvest two-factor authentication credentials for initial access. Crypto-clipper malware was also observed in this context.
Financially, global data from Ledger indicates over $3 billion was stolen in 119 incidents during the first half of 2025. Approximately 70% of these breaches resulted in funds being moved before disclosure, and only around 4.2% of stolen assets were recovered.
Organizations using affected React and Next.js versions, especially those serving cryptocurrency platforms, are strongly advised to implement the available patches and follow recommended monitoring and auditing practices to safeguard against ongoing and future attacks.
