Critical Vulnerability in React Server Components
A serious vulnerability within React Server Components, identified as CVE-2025-55182, is being exploited by cybercriminals to carry out server hijacking, siphon cryptocurrency, and introduce Monero mining software into compromised systems. This alarming exploitation has raised concerns in the cryptocurrency sector, with the potential for losses worsening, as noted by the Security Alliance.
Impact and Exploitation
The security firm warned that the identified flaw not only impacts decentralized Web3 platforms but also any website that utilizes React technology. Attackers are particularly manipulating the flaw to intercept transaction signatures, placing users’ crypto wallets at risk by redirecting funds to accounts managed by the perpetrators.
Details of the Vulnerability
The React team unveiled this critical vulnerability on December 3, tagging it with a CVSS score of 10.0. This followed a report from security researcher Lachlan Davidson submitted through Meta’s Bug Bounty program on November 29. The core issue lies in the way React processes payloads sent to Server Function endpoints, allowing harmful HTTP requests to execute arbitrary code on affected servers.
Versions Affected and Patches Released
Several versions of React, including 19.0, 19.1.0, 19.1.1, and 19.2.0 in conjunction with the packages react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, are vulnerable. Frameworks such as Next.js, React Router, and Expo also require immediate updates to rectify this security hole. Patches have been released as versions 19.0.1, 19.1.2, and 19.2.1, with Next.js users needing to upgrade from release lines ranging from 14.2.35 to 16.0.10.
Ongoing Threats and Additional Vulnerabilities
Nonetheless, as researchers delve into the patches, they’ve uncovered additional vulnerabilities within React Server Components, further complicating the landscape. Vercel, the company behind Next.js, implemented Web Application Firewall (WAF) measures to shield projects, but underscored that deploying the latest updates is essential for comprehensive protection.
Surge in Attacks and Financial Implications
Google’s Threat Intelligence Group has reported a surge in attacks since the vulnerability was disclosed, attributing these schemes to various hacker factions, including state-sponsored groups. Chinese hackers are particularly noted for populating compromised servers with different malware types. Such malware often establishes persistent access, allowing continued exploitation by creating remote access points or disguising malicious files within system folders to elude detection.
In a worrying trend, financial criminals joined the fray by installing Monero mining software on affected devices starting December 5, using this software to hijack user computing resources for profit. Discussions about these attacks and tool-sharing rapidly proliferated across underground forums.
Historical Context and Urgency for Action
This situation follows an orchestrated supply chain attack from September, where the npm account of Josh Goldberg was compromised, leading to the distribution of harmful updates across 18 popular packages—utilities that collectively receive billions of downloads weekly. The malicious updates prompted concerns regarding the safety of cryptocurrency transactions, prompting Ledger’s CTO to advise users against making on-chain transactions without secure hardware wallets due to such vulnerabilities.
Reports reveal a staggering $3 billion in cryptocurrency losses from 119 incidents in the first half of 2025 alone, with rapid laundering techniques ensuring that stolen assets are moved within minutes. With only a fraction of stolen funds being recovered (4.2%), the urgency to patch systems using React or Next.js has never been more critical. Victims are urged to update to the latest versions, implement WAF rules, and audit their dependencies regularly to mitigate further risks.
