React critical vulnerability exploited on a large scale, crypto platform faces token theft risk

Recently, a critical security vulnerability disclosed in React server components has raised significant industry concern. The vulnerability is identified as CVE-2025-55182, also known as React2Shell. It has been actively exploited by multiple threat groups, affecting thousands of websites including cryptocurrency platforms, posing a direct risk to user asset security.

This flaw allows attackers to execute remote code on affected servers without authentication. The React team publicly disclosed the issue on December 3rd, assigning it the highest severity level. Subsequently, Google Threat Intelligence Group (GTIG) confirmed that the vulnerability has been rapidly weaponized in real-world environments, involving both financially motivated hackers and suspected state-sponsored actors, targeting cloud deployments and unpatched React and Next.js applications.

Technically, React server components are used to execute certain application logic directly on the server, and the vulnerability stems from a decoding mechanism flaw in handling request data. Attackers can craft specially designed web requests to trick the server into executing arbitrary system commands, gaining full control of the server environment. The problem affects React versions 19.0 to 19.2.0, as well as packages relied upon by mainstream frameworks like Next.js. Simply installing related components could serve as an attack entry point.

GTIG has observed multiple attack cases where hackers deploy backdoors, malicious scripts, and cryptocurrency mining software, especially Monero miners. These covert attacks continuously consume server computing power and electricity, leading to performance degradation and generating long-term profits for attackers.

For the crypto industry, the risks are particularly acute. Many crypto trading platforms and Web3 applications rely on React and Next.js for frontend wallet interactions, transaction signing, and authorization processes. Once the frontend or server is compromised, attackers could inject malicious code, intercept user signing requests, or covertly replace transaction addresses with their own wallet addresses. Even if the underlying blockchain protocol remains secure, users may unknowingly suffer total asset loss.

Overall, this React vulnerability underscores the critical importance of front-end and server security within the crypto ecosystem. For operators, promptly applying patches, auditing dependency components, and strengthening frontend security measures are urgent priorities; meanwhile, ordinary users should remain vigilant against suspicious transaction behaviors and avoid performing asset operations on websites with security vulnerabilities. (CoinDesk)