A critical flaw in React Server Components is being used by attackers to inject malicious code into live websites, and that code is siphoning crypto from connected wallets. Reports note that the vulnerability, tracked as CVE-2025-55182, was published by the React team on December 3 and carries a maximum severity rating. Cybersecurity firm Security Alliance (SEAL) has confirmed that multiple crypto websites are actively being targeted, and they urge operators to review all React Server Components immediately to prevent wallet-draining attacks. Security teams say the bug allows an unauthenticated attacker to run code on affected servers, which has been turned into wallet-draining campaigns across several sites. A Wide Risk To Sites Using Server Components SEAL said the flaw affects React Server Components packages in versions 19.0 through 19.2.0, and patched releases such as 19.0.1, 19.1.2, and 19.2.1 were issued after disclosure. Crypto Drainers using React CVE-2025-55182 We are observing a big uptick in drainers uploaded to legitimate (crypto) websites through exploitation of the recent React CVE. All websites should review front-end code for any suspicious assets NOW. — Security Alliance (@_SEAL_Org) December 13, 2025 The vulnerability works by exploiting unsafe deserialization in the Flight protocol, letting a single crafted HTTP request execute arbitrary code with the web server’s privileges. Security teams have warned that many sites using default configurations are at risk until they apply the updates. Attackers Inject Wallet-Draining Scripts Into Compromised Pages According to industry posts, threat actors are using the exploit to plant scripts that prompt users to connect Web3 wallets and then hijack or redirect transactions. In some cases the injected code alters the user interface or swaps addresses, so a user believes they are sending funds to one account while the transaction actually pays an attacker. This method can hit users who trust familiar crypto sites and connect wallets without checking every approval. Scanners And Proof-Of-Concepts Flooded Underground Forums Security researchers report a rush of scanning tools, fake proof-of-concept code, and exploit kits shared in underground forums shortly after the vulnerability was disclosed. Cloud and threat-intelligence teams have observed multiple groups scanning for vulnerable servers and testing payloads, which has accelerated active exploitation. Some defenders say that the speed and volume of scanning have made it hard to stop all attempts before patches are applied. More Than 50 Organizations Reported Compromise Attempts Based on reports from incident responders, post-exploitation crypto activity has been observed at more than 50 organizations across finance, media, government, and tech. In several investigations, attackers established footholds and then used those to deliver further malware or to seed front-end code that targets wallet users. SEAL has emphasized that organizations failing to patch or monitor their servers could experience further attacks, and ongoing monitoring is essential until all systems are verified safe. Featured image from Unsplash, chart from TradingView
