React ‘React2Shell’ Bug Exposes Thousands of DeFi Front-Ends to Wallet Drainers
A critical RCE vulnerability in React Server Components is being weaponized to inject wallet drainers into trusted DeFi front-ends.
Critical RCE Vulnerability in React Server Components actively exploited to inject malicious scripts into legitimate dApps.
A catastrophic vulnerability in React Server Components (RSC) has left thousands of cryptocurrency platforms exposed to immediate takeover. Reported late today, the flaw, tracked as CVE-2025-55182 and dubbed “React2Shell”, allows attackers to execute remote code on servers without authentication, enabling them to inject wallet-draining scripts directly into the front-ends of trusted DeFi sites.
The exploit targets React versions 19.0 through 19.2.0, a stack ubiquitous in Web3 development. According to the Security Alliance (SEAL), threat actors are already weaponizing the bug to deploy fake “permit” signatures. Users connecting to compromised dApps are presented with what appears to be a standard transaction request; signing it instantly grants attackers control over their assets.
The flaw stems from insecure deserialization in the payload handling logic, allowing attacker-controlled data to influence server-side execution. Once inside, they simply rewrite the front-end to point to their own drainer contracts.
The “Invisible” Supply Chain Attack
This is not a blockchain protocol failure; it is a Web2 infrastructure collapse. Because the vulnerability exists in the server-side rendering layer, the underlying smart contracts remain secure while the user interface becomes a trap. This mirrors the mechanics of the 2023 Ledger Connect Kit incident but on a potentially larger scale given React’s dominance.
SEAL and other security firms have observed a “sharp uptick” in drainer deployments over the last six hours. Attackers are prioritizing high-traffic DeFi dashboards where users frequently sign off-chain permit messages. The sophisticated nature of the attack means no phishing link is required. Users navigating to a bookmarked, legitimate URL are equally at risk if the platform’s server has been breached.
Market Reaction & Remediation
While major tokens like Bitcoin and Ether remain range-bound amidst broader year-end caution, the panic is palpable in developer channels. Vercel and the React team have rushed patches, urging all platform operators to upgrade immediately.
For users, the directive is stark: Stop signing permits on unverified front-ends. If a dApp requests a signature for a transaction you didn’t initiate, or if the “Spender” address looks unfamiliar, disconnect immediately. The risk remains critical until platforms confirm they have patched CVE-2025-55182.
