Hackers Target React Server Components for Cyber Attacks

Hackers Target React Server Components for Cyber Attacks

Posted on By CWS

Key Points

  • Exploitation of React Server Components vulnerability, CVE-2025-55182, is escalating.
  • Hackers are deploying cryptominers and gaining remote access through this flaw.
  • Security teams are advised to apply patches immediately to mitigate risks.

Escalating Threats to React Server Components

In the wake of the disclosure of CVE-2025-55182, a critical vulnerability in React Server Components, hackers have intensified their attack strategies. This flaw has now become the focal point for high-volume cyber attacks aimed at deploying cryptominers and establishing persistent remote access.

Between January 26 and February 2, 2026, data collected by GreyNoise revealed that threat actors are aggressively exploiting this vulnerability. A total of 1,083 unique sources attempted to exploit this flaw, with the majority of attacks originating from just two IP addresses, suggesting automated large-scale tactics.

Analyzing the Attack Campaigns

The attack campaigns target React Server Components by exploiting a deserialization flaw, allowing unauthenticated remote code execution through a malicious HTTP POST request. Two main attack vectors have been identified, each with distinct objectives.

The first, identified as the Cryptomining Campaign, originates from IP 87.121.84[.]24 and accounts for 22% of the attack traffic. This campaign uses a script to download and execute an XMRig binary, indicating its goal is resource exploitation.

Meanwhile, the Interactive Access Campaign, from IP 193.142.147[.]209, constitutes 34% of the traffic. This attack bypasses staging servers, opening a reverse shell to the attacker’s IP, suggesting a focus on network infiltration rather than cryptomining.

Understanding the Vulnerability

CVE-2025-55182 is an insecure deserialization vulnerability in React Server Components, carrying a CVSS score of 10.0. This flaw enables attackers to manipulate serialized data, leading to arbitrary code execution.

Affected software versions include React 19.0.0, 19.1.0 to 19.1.1, and 19.2.0, with patched versions being React 19.0.1, 19.1.2, and 19.2.1. Attackers are mainly targeting development ports exposed by misconfigured instances, with ports 443, 80, 3000, 3001, and 3002 being the most vulnerable.

Security teams are urged to update to the latest patched versions of React immediately. If patching is not feasible, network access to development ports should be restricted to mitigate exposure risks.

Conclusion

The exploitation of React Server Components through CVE-2025-55182 highlights the urgency for robust cybersecurity measures. Organizations must prioritize patching and consider network restrictions to safeguard against these escalating threats. Staying informed and proactive is key to defending against such vulnerabilities.

Cyber Security News Tags:, , , , , , , , , , ,

Related Posts

SparkKitty Attacks iOS and Android Devices in Wild Via App Store and Google Play SparkKitty Attacks iOS and Android Devices in Wild Via App Store and Google Play Cyber Security News
Hackers Exploit DFIR Tool Velociraptor In Ransomware Attacks Hackers Exploit DFIR Tool Velociraptor In Ransomware Attacks Cyber Security News
Lenovo AI Chatbot Vulnerability Let Attackers Run Remote Scripts on Corporate Machines Lenovo AI Chatbot Vulnerability Let Attackers Run Remote Scripts on Corporate Machines Cyber Security News
CrowdStrike Set to Acquire Onum in 0 Million Deal to Enhance Falcon Next-Gen SIEM CrowdStrike Set to Acquire Onum in $290 Million Deal to Enhance Falcon Next-Gen SIEM Cyber Security News
BeaverTail Variant via Malicious Repositories Targeting Retail Sector Organizations BeaverTail Variant via Malicious Repositories Targeting Retail Sector Organizations Cyber Security News
10 Best AI penetration Testing Companies in 2025 10 Best AI penetration Testing Companies in 2025 Cyber Security News