A critical remote code execution (RCE) vulnerability in React Server Components, dubbed React2Shell (CVE-2025-55182), is being actively exploited to inject wallet drainers into legitimate crypto platforms. The flaw, assigned a maximum severity score of CVSS 10.0, allows unauthenticated attackers to hijack servers via a single malicious HTTP request.
Security Alliance (SEAL), a crypto-focused threat sharing coalition, issued an urgent warning regarding a “big uptick” in drainer scripts appearing on otherwise secure decentralized finance (DeFi) front-ends. Because the vulnerability affects React versions 19.0 through 19.2.0, and by extension, the widely used Next.js framework, the attack surface encompasses a vast majority of modern Web3 user interfaces.
The Mechanism: Zero-Click Root Access
The vulnerability resides in the React Flight protocol, which handles data serialization between server and client. According to technical analysis by Wiz, the flaw stems from insecure deserialization. An attacker sends a crafted payload to a React Server Function endpoint, which the server processes without validation, granting the attacker immediate code execution privileges.
The vulnerability exists in the default configuration of affected applications… Exploitation requires only a crafted HTTP request.
Unlike previous supply chain attacks that required compromising a package maintainer (e.g., Ledger Connect Kit), React2Shell exploits the infrastructure itself. Once inside, attackers are modifying front-end code to intercept transaction signatures, redirecting user funds to drainer addresses.
Miners and Market Impact
Beyond theft, compromised infrastructure is being monetized for compute. Google’s Threat Intelligence Group (GTIG) reported that financially motivated actors are deploying XMRig miners on hijacked servers. This spike in illicit mining activity coincides with Monero (XMR) strengthening to $430 (+5.3%), as demand for privacy coins and anonymous compute power persists.
This incident forces a critical reassessment of server-side rendering (SSR) security in high-value financial applications. While Vercel and the React team have released patches (React 19.2.1), the “exploit-in-the-wild” status means unpatched dApps are currently open doors for capital flight.
