**Breaking News: Critical React Bug Exposes Thousands of Websites to Token Drain**

A devastating bug has been discovered in the widely-used React library, leaving thousands of websites vulnerable to token drain and potential crypto-jacking attacks. The critical vulnerability, tracked as CVE-2025-55182, nicknamed "React2Shell," allows attackers to execute code remotely on affected servers without authentication.

According to a report by Google Threat Intelligence Group (GTIG), multiple threat groups are actively exploiting the flaw to deploy malware and crypto-mining software. This has compromised server resources and potentially intercepted wallet interactions on crypto platforms, putting users' assets at risk of being drained.

The vulnerability stems from how React decodes incoming requests to server-side functions, allowing attackers to send specially crafted web requests that trick the server into running arbitrary commands or handing over control of the system. This bug affects React versions 19.0 through 19.2.0, including packages used by popular frameworks such as Next.js.

GTIG documented multiple active campaigns using the flaw to deploy malware, backdoors, and crypto-mining software. Some attackers began exploiting the flaw within days of disclosure to install Monero mining software, quietly consuming server resources and electricity while generating profits for attackers.

Crypto platforms rely heavily on modern JavaScript frameworks such as React and Next.js, often handling wallet interactions, transaction signing, and permit approvals through front-end code. If a website is compromised, attackers can inject malicious scripts that intercept wallet interactions or redirect transactions to their own wallets – even if the underlying blockchain protocol remains secure.

This makes front-end vulnerabilities particularly dangerous for users who sign transactions through browser wallets. React's maintainers disclosed the issue on December 3 and assigned it the highest possible severity score, warning developers of the urgent need to patch affected applications.

GTIG observed widespread exploitation by both financially motivated criminals and suspected state-backed hacking groups, targeting unpatched React and Next.js applications across cloud environments. The vulnerability highlights the importance of keeping software up-to-date and secure, especially for high-risk applications handling sensitive user data and financial transactions.

**What You Can Do to Protect Your Website:**

* Patch affected React versions 19.0 through 19.2.0 * Review and update dependencies, including packages used by popular frameworks such as Next.js * Monitor server resources for suspicious activity * Implement robust security measures to prevent crypto-jacking attacks

**Stay Informed:**

Follow us for the latest updates on this critical vulnerability and its impact on the web development community.