React vulnerability exploited by hackers, cryptocurrency websites face a wave of JavaScript theft attacks

Recently, a class of front-end attacks targeting cryptocurrency users has been rapidly spreading. According to the cybersecurity nonprofit organization Security Alliance (SEAL), hackers are exploiting a newly discovered vulnerability in the open-source front-end JavaScript library React to implant cryptocurrency theft programs on legitimate websites. Related attack cases have significantly increased.

React is one of the most mainstream web front-end frameworks today and is widely used to build various websites and web applications. On December 3, the official React team disclosed that a serious security flaw, identified as CVE-2025-55182, was discovered by white-hat hacker Lachlan Davidson. This vulnerability allows unauthenticated remote code execution, enabling attackers to inject and run malicious code on the website front-end.

SEAL points out that attackers are secretly adding wallet theft programs to cryptocurrency-related websites through this vulnerability. These malicious scripts are often disguised as normal front-end components or resources and run without the user’s awareness, tricking users into signing malicious transactions to directly steal wallet assets. Common methods include fake reward pop-ups and phishing authorization requests.

It is noteworthy that SEAL emphasizes this attack is not limited to Web3 or DeFi projects; any website using affected React components is at risk. Ordinary users should remain highly vigilant when connecting wallets, signing any on-chain authorizations, or transactions, carefully verifying recipient addresses and signature contents.

For website operators, SEAL recommends an immediate comprehensive inspection, including scanning servers for the CVE-2025-55182 vulnerability, checking whether front-end code loads resources from unknown hosts, identifying obfuscated JavaScript scripts, and verifying whether the recipient information displayed in wallet signature requests is abnormal. Some affected websites may be flagged as phishing pages by browsers or security services without clear reasons.

The React official team released a patch for the vulnerability on December 3 and advises all projects using react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack to upgrade immediately. They also clarified that applications not using React server components are not affected by this vulnerability.

In the context of tightening cryptocurrency security, such front-end supply chain attacks once again remind the industry that web security has become an unavoidable systemic risk within the crypto ecosystem. (Cointelegraph)