A critical supply chain vulnerability in React Server Components (RSC) is actively being exploited to inject wallet-draining scripts into legitimate crypto applications. The flaw, tracked as CVE-2025-55182, carries a maximum severity score of CVSS 10.0 and allows unauthenticated attackers to execute arbitrary code on servers running unpatched versions of React and Next.js.
The Mechanism: Insecure Deserialization
Disclosed by the React team on December 3, the vulnerability, dubbed “React2Shell,” stems from insecure deserialization within the “Flight” protocol used to shuttle data between client and server. Attackers can send a crafted HTTP request to a target server, bypassing authentication to achieve Remote Code Execution (RCE). Once inside, they can silently modify the front-end to serve malicious payloads to users.
This creates a nightmare scenario for DeFi users: interacting with a trusted, immutable smart contract via a compromised user interface.
Active Exploitation in Wild
The Security Alliance (SEAL), a crypto cybersecurity collective, confirmed an “uptick” in attacks leveraging this specific CVE to deploy drainers. Unlike protocol-level hacks, the smart contracts remain secure, but the access point, the website, is weaponized. Victims believe they are signing a standard transaction on a familiar platform, only to approve a malicious “permit” signature that grants attackers full access to their assets.
“We are observing a big uptick in drainers uploaded to legitimate crypto websites through exploitation of the recent React CVE. All websites should review front-end code for any suspicious assets NOW.” Security Alliance (SEAL)
Institutional Context: Infrastructure Risk
This incident underscores the fragility of Web3’s Web2 reliance. While protocols are audited for logic errors, the front-end delivery infrastructure remains susceptible to classic server-side vulnerabilities. Palo Alto Networks Unit 42 has already observed attackers installing web shells and attempting to harvest cloud credentials from compromised instances.
Immediate Remediation
Developers using React Server Components must upgrade immediately. The vulnerability affects React versions 19.0.0 through 19.2.0 and Next.js versions 15.x and 16.x. Patches have been released in React versions 19.0.1, 19.1.2, and 19.2.1.
