A newly disclosed vulnerability in React, one of the most widely used JavaScript libraries on the web, is being actively exploited to inject crypto wallet drainers into legitimate websites.
According to the nonprofit cybersecurity group Security Alliance (SEAL), malicious actors are using this access to insert wallet-draining scripts into front-end code, often without site operators realizing anything has changed.
The issue, tracked as CVE-2025-55182, was disclosed on December 3 by the React team after being identified by white-hat researcher Lachlan Davidson.
Security researchers say the attacks are already spreading, with crypto platforms among the most frequent targets.
“We are observing a significant increase in drainers being uploaded to legitimate crypto websites through exploitation of this React vulnerability,” SEAL warned in a public statement.
The group stressed that the threat is not limited to Web3 platforms and that any website running vulnerable React server components could be exposed.
Crypto Drainers using React CVE-2025-55182
— Security Alliance (@_SEAL_Org) December 13, 2025
We are observing a big uptick in drainers uploaded to legitimate (crypto) websites through exploitation of the recent React CVE.
All websites should review front-end code for any suspicious assets NOW.
SEAL Announcment.
How the attack works in practice
The flaw allows unauthenticated remote code execution in certain React server components, giving attackers a way to run arbitrary code on affected sites without triggering obvious alarms.
React is commonly used to manage user interfaces, including transaction prompts and wallet connections on crypto websites. By exploiting the vulnerability, attackers can alter how those interfaces behave, even while the site appears normal. In many cases, users are tricked into signing malicious transactions through deceptive pop-ups or approval requests that closely resemble legitimate wallet interactions.
The result is a drained wallet, often within seconds, without any obvious sign that the website itself was compromised.
SEAL noted that some affected sites have been unexpectedly flagged by browsers or wallet providers as phishing risks. These warnings can appear without explanation, leaving developers confused and users locked out. In several cases, hidden drainer scripts were later found embedded in front-end assets loaded from unfamiliar domains.
What developers should check immediately
Security Alliance urged website operators to audit their front-end code as a priority. Their recommendations focus on practical indicators rather than abstract risk assessments.
Developers are advised to scan their infrastructure for CVE-2025-55182 and review whether their applications are loading scripts from unknown hosts. Obfuscated JavaScript in front-end assets is another red flag, as is any wallet signature request that does not clearly display the correct recipient address.
“If your project is suddenly blocked or flagged, review your code before appealing the warning,” SEAL said, noting that phishing protections often detect malicious behavior before developers do.
React issues patch and clarifies scope
The React team has already released a fix and is urging immediate upgrades for projects using the affected packages: react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
In its advisory, React clarified that applications not using React Server Components or server-side rendering are not impacted by this vulnerability. Projects built without a framework, bundler, or compatible plugin are also unaffected.
Even so, the disclosure has raised concerns about the security implications of modern front-end tooling, particularly for crypto platforms that rely heavily on browser-based interactions.
A broader pattern in JavaScript supply-chain attacks
This incident follows another high-profile JavaScript security breach earlier in the year, when attackers compromised a trusted developer account on the Node Package Manager ecosystem. That attack allowed malicious code to spread through widely used packages that had collectively been downloaded more than one billion times. Security researchers described that episode as a large-scale supply-chain compromise, one that exposed how deeply interconnected modern web development has become.
The React vulnerability reinforces the same lesson: widely adopted tools create powerful efficiencies, but they also concentrate risk.
Kataryna Dyl
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
