Critical RCE in React Server Components threatens DeFi front-ends.
A maximum-severity vulnerability in React Server Components, dubbed React2Shell (CVE-2025-55182), is being actively exploited to deploy malware and potentially inject wallet drainers into crypto platforms. The flaw, assigned a rare CVSS score of 10.0, allows unauthenticated attackers to execute arbitrary code on servers running React versions 19.0 through 19.2.0.
The Mechanism: The vulnerability resides in the React “Flight” protocol, which handles the serialization of component trees. Attackers can bypass validation on the server-side decoder, injecting malicious objects that the server deserializes and executes. For DeFi users, this is catastrophic: a compromised front-end can silently replace smart contract interactions, redirecting user funds to attacker wallets even if the underlying blockchain protocol remains secure.
The vulnerability exists because affected React Server Components versions fail to validate incoming payloads. This could allow attackers to inject malicious structures that React accepts as valid.
Institutional Context: Active State-Level Exploitation
The Google Threat Intelligence Group (GTIG) confirmed today that at least five China-nexus threat groups, including those tracked as UNC6600 and UNC6586, are weaponizing the bug. While initial payloads focused on installing XMRig cryptocurrency miners to steal compute power, the vector allows for full server takeover. Security researchers note that these groups are rapidly shifting tactics to deploy backdoors like MINOCAT and SNOWLIGHT, securing persistent access to high-value infrastructure.
Immediate Action: Engineering teams using Next.js or React Server Components must upgrade to patched versions immediately. The window between disclosure and active exploitation was less than 30 hours, leaving unpatched protocols exposed to automated scanning campaigns already sweeping the network.
