Crypto Wallets Targeted In JavaScript Library Exploit—Cybersecurity Firm
A essential flaw in React Server Components is being utilized by attackers to inject malicious code into stay web sites, and that code is siphoning crypto from linked wallets.
Reports notice that the vulnerability, tracked as CVE-2025-55182, was revealed by the React team on December 3 and carries a most severity score.
Cybersecurity agency Security Alliance (SEAL) has confirmed that a number of crypto web sites are actively being focused, and so they urge operators to assessment all React Server Components instantly to stop wallet-draining assaults.
Security groups say the bug permits an unauthenticated attacker to run code on affected servers, which has been become wallet-draining campaigns throughout a number of websites.
A Wide Risk To Sites Using Server Components
SEAL mentioned the flaw affects React Server Components packages in variations 19.0 by way of 19.2.0, and patched releases similar to 19.0.1, 19.1.2, and 19.2.1 had been issued after disclosure.
Crypto Drainers utilizing React CVE-2025-55182
We are observing a giant uptick in drainers uploaded to legit (crypto) web sites by way of exploitation of the latest React CVE.
All web sites ought to assessment front-end code for any suspicious property NOW.
— Security Alliance (@_SEAL_Org) December 13, 2025
The vulnerability works by exploiting unsafe deserialization within the Flight protocol, letting a single crafted HTTP request execute arbitrary code with the online server’s privileges. Security groups have warned that many websites utilizing default configurations are in danger till they apply the updates.
Attackers Inject Wallet-Draining Scripts Into Compromised Pages
According to trade posts, threat actors are utilizing the exploit to plant scripts that immediate customers to attach Web3 wallets after which hijack or redirect transactions.
In some circumstances the injected code alters the person interface or swaps addresses, so a person believes they’re sending funds to 1 account whereas the transaction truly pays an attacker. This methodology can hit customers who belief acquainted crypto websites and join wallets with out checking each approval.
Scanners And Proof-Of-Concepts Flooded Underground Forums
Security researchers report a rush of scanning instruments, faux proof-of-concept code, and exploit kits shared in underground boards shortly after the vulnerability was disclosed.
Cloud and threat-intelligence groups have noticed a number of teams scanning for weak servers and testing payloads, which has accelerated lively exploitation.
Some defenders say that the velocity and quantity of scanning have made it arduous to cease all makes an attempt earlier than patches are utilized.
More Than 50 Organizations Reported Compromise Attempts
Based on stories from incident responders, post-exploitation crypto exercise has been noticed at greater than 50 organizations throughout finance, media, authorities, and tech.
In a number of investigations, attackers established footholds after which used these to ship additional malware or to seed front-end code that targets pockets customers.
SEAL has emphasised that organizations failing to patch or monitor their servers may expertise additional assaults, and ongoing monitoring is crucial till all methods are verified secure.
Featured picture from Unsplash, chart from TradingView
