People love to say crypto is trustless. And they’re right.
But here’s the uncomfortable truth: most hacks don’t start on-chain. They start on websites.
That’s exactly what’s happening with a newly discovered React vulnerability that’s now being exploited in the wild. And yes, it’s serious enough that users could lose all their tokens if a site they trust gets compromised.
Security teams estimate thousands of websites are already exposed. Many of them run crypto apps.
The bug everyone should be worried about
The vulnerability, tracked as CVE-2025-55182 and now widely known as React2Shell, affects React Server Components. It allows attackers to execute code on a server without authentication.
No login.
No permissions.
Just control.
React disclosed the issue on December 3 and gave it the highest severity score possible. That alone should tell you how bad it is.
And attackers didn’t wait.
Crypto Drainers using React CVE-2025-55182
— Security Alliance (@_SEAL_Org) December 13, 2025
We are observing a big uptick in drainers uploaded to legitimate (crypto) websites through exploitation of the recent React CVE.
All websites should review front-end code for any suspicious assets NOW.
The Google Threat Intelligence Group (GTIG) reports that multiple hacking groups—ranging from profit-driven criminals to suspected state-backed actors—began exploiting the flaw almost immediately. Unpatched React and Next.js apps running in cloud environments became easy targets.
Why this bug is especially dangerous
React Server Components run logic on the server instead of the browser. That’s great for performance. Terrible when something goes wrong.
Because of how React decodes incoming requests, attackers can send a specially crafted request that tricks the server into running any command they want. In simple terms, the attacker gets the keys to the system.
The flaw impacts React versions 19.0 through 19.2.0, including packages used by Next.js. In many cases, just having the vulnerable package installed is enough to be at risk.
How attackers are cashing in
GTIG has already documented active attack campaigns using this bug to deploy:
- Malware
- Persistent backdoors
- Crypto-mining software, especially Monero miners
These attacks quietly drain server resources, increase cloud costs, and slow down applications—all while generating profits for attackers.
But crypto platforms face a much bigger problem.
Most crypto apps rely on React-based front ends to handle:
- Wallet connections
- Transaction approvals
- Signing requests
If attackers compromise the front end, they don’t need to touch the blockchain at all.
They can inject malicious scripts that:
- Intercept wallet interactions
- Change transaction details
- Redirect funds to attacker-controlled wallets
From the user’s perspective, everything looks normal. The wallet pops up. The transaction gets signed. The blockchain works exactly as designed.
That’s what makes this so dangerous.
The takeaway
This isn’t a blockchain failure.
It’s a front-end trust problem.
Even the most secure protocol can’t protect users if the website they’re interacting with has been hijacked.
For developers, the message is clear: patch immediately.
For users, it’s a reminder: always be cautious about what you’re signing—even on sites you’ve used a hundred times before.
In crypto, security doesn’t fail all at once.
It leaks.
And this React bug is a big one.
