React vulnerability sparks surge in crypto wallet drainers

Security Alliance (SEAL) have issued a warning that hackers are exploiting a serious React vulnerability to take over cryptocurrency websites. The SEAL stated that the vulnerability is fueling a surge of wallet-draining attacks that put users and platforms at immediate risk.

React Server Components (RSCs) feed the rendered result to clients (browsers) while operating on the server, rather than in the browser. However, the React team discovered a critical vulnerability with a maximum severity rating of 10 out of 10 in these packages.

Unpatched React servers risk remote code execution attacks

The React team issued an advisory stating that the vulnerability, known as React2Shell and listed as CVE-2025-55182, allows attackers to remotely execute code on compromised servers without requiring authentication. React’s maintainers reported the vulnerability on December 3 and assigned it the highest possible severity score.

According to the React team, CVE-2025-55182, affects the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages in versions 19.0, 19.1.0, 19.1.1, and 19.2.0.

Crypto Drainers using React CVE-2025-55182

We are observing a big uptick in drainers uploaded to legitimate (crypto) websites through exploitation of the recent React CVE.

All websites should review front-end code for any suspicious assets NOW.

— Security Alliance (@_SEAL_Org) December 13, 2025

SEAL urged that “All websites should review front-end code for any suspicious assets NOW.” The SEAL further stated that users should exercise caution when signing any crypto-related permission signature, as all websites, not just those using Web3 protocols, are vulnerable.

According to SEAL, all web development teams should scan hosts for CVE-2025-55182 and see if their code is unexpectedly loading assets from unknown hosts. Seal further instructed that teams should confirm the wallet displays the correct recipient on the signature signing request. The teams should also determine whether any of the “Scripts” loaded by their code are obfuscated JavaScript.

Shortly after the disclosure of CVE-2025-55182, SEAl found two more vulnerabilities in React Server Components while testing the previous patch. According to the React blog, SEAL disclosed CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5), which are identified as Denial of Service and High Severity vulnerabilities. Next, SEAL disclosed CVE-2025-55183 (CVSS 5.3) which the researchers identified as Source Code Exposure and Medium Severity.

The React team advised that all websites should upgrade immediately due to the seriousness of the recently revealed vulnerabilities.

According to JS’s advisory, the denial-of-service vulnerability, identified as CVE-2025-55184, allows attackers to create malicious HTTP requests and send them to any App Router or Server Function endpoint. The report further explained that these requests create an endless loop that hangs the server process and prevents future HTTP requests from being served.

According to the Common Vulnerability Scoring System (CVSS), CVE-2025-55184 carries a high severity score of 7.5 out of 10.

CVE-2025-55183, the second source code leakage vulnerability, has a medium severity rating of 5.3 out of 10.

According to Next.js, the exploit chain would be similar. Next.js explained that a susceptible endpoint receives a specially constructed HTTP request from the attacker, which returns the source code of any Server Function. Next. js team cautioned that hardcoded secrets and the company’s logic could be exposed by disclosing generated source code.

Crypto drainers refine evasion tactics for stealthy crypto theft

The rise in drainers, facilitated by the React vulnerability, coincides with the testing of new strategies by crypto-stealing drainer operators and their affiliates to evade detection and exploit crypto wallets. 

According to crypto security specialists from the Security Alliance (SEAL), drainer affiliates are now utilizing high-reputation domains for landing pages and payload hosting, re-registering previously valid domains, and implementing sophisticated fingerprinting techniques. The Security researchers claimed that the goal is to disseminate crypto-drainers, a harmful piece of JavaScript that is injected into phishing websites, and thwart security researchers.

SEAL said that evasion tactics vary among affiliates of a particular drainer family and are not consistently enforced at the drainer service level.

In a different cryptocurrency crime scenario, DeFi protocol Aevo (previously Ribbon Finance) announced on Sunday that $2.3 million had been drained from its vaults. DeFi creator Anton Cheng claimed that an updated Oracle code, which made it possible for anyone to set prices for new assets, was the primary cause of the breach.

Join a premium crypto trading community free for 30 days - normally $100/mo.