A severe security vulnerability in React Server Components, designated CVE-2025-55182, is being actively weaponized by threat actors to hijack servers, drain cryptocurrency wallets, and deploy Monero (XMR) mining malware. The Security Alliance issued urgent warnings on December 13, 2025, urging all websites, particularly crypto platforms, to review their front-end code immediately for suspicious assets.
The critical flaw, rated CVSS 10.0, is an unauthenticated remote code execution (RCE) vulnerability. It exploits how React decodes payloads sent to Server Function endpoints, allowing attackers to craft malicious HTTP requests that execute arbitrary code on vulnerable servers. The vulnerability impacts React versions 19.0, 19.1.0, 19.1.1, and 19.2.0 across multiple packages. Major frameworks including Next.js, React Router, Waku, and Expo require immediate updates to patched versions 19.0.1, 19.1.2, or 19.2.1.
Google's Threat Intelligence Group (TIG) documented widespread attacks beginning December 3, 2025, involving criminal groups ranging from opportunistic hackers to state-backed operations. These attackers have installed malware to maintain persistent access, create remote access tunnels, and deploy tools that continuously download additional malicious payloads. Financially motivated criminals joined the wave on December 5, installing crypto-mining software that secretly uses victims' computing power to generate Monero.
The attacks enable malicious code to intercept wallet communications during transaction signing, redirecting funds to attacker-controlled addresses. This comes amid a devastating year for crypto security; data from Global Ledger shows hackers stole over $3 billion across 119 incidents in the first half of 2025 alone, with only 4.2% of stolen assets recovered. Funds are now laundered in minutes, with one process reportedly taking just 2 minutes and 57 seconds.
Despite patches from React's team and Web Application Firewall (WAF) rules deployed by Vercel, researchers have already discovered two new, separate vulnerabilities in React Server Components while testing the fixes. This incident follows a major September 8, 2025, supply-chain attack where hackers compromised the npm account of developer Josh Goldberg, pushing malicious updates to 18 widely used packages with over 2.6 billion weekly downloads.
Security advisories recommend that organizations using React or Next.js patch immediately, deploy WAF rules, audit all dependencies, and monitor network traffic for suspicious commands like wget or cURL initiated by web server processes.
