Hackers Target React Server Components for Cyber Attacks

Hackers Target React Server Components for Cyber Attacks

Posted on By CWS

Key Points

  • Exploitation of React Server Components vulnerability, CVE-2025-55182, is escalating.
  • Hackers are deploying cryptominers and gaining remote access through this flaw.
  • Security teams are advised to apply patches immediately to mitigate risks.

Escalating Threats to React Server Components

In the wake of the disclosure of CVE-2025-55182, a critical vulnerability in React Server Components, hackers have intensified their attack strategies. This flaw has now become the focal point for high-volume cyber attacks aimed at deploying cryptominers and establishing persistent remote access.

Between January 26 and February 2, 2026, data collected by GreyNoise revealed that threat actors are aggressively exploiting this vulnerability. A total of 1,083 unique sources attempted to exploit this flaw, with the majority of attacks originating from just two IP addresses, suggesting automated large-scale tactics.

Analyzing the Attack Campaigns

The attack campaigns target React Server Components by exploiting a deserialization flaw, allowing unauthenticated remote code execution through a malicious HTTP POST request. Two main attack vectors have been identified, each with distinct objectives.

The first, identified as the Cryptomining Campaign, originates from IP 87.121.84[.]24 and accounts for 22% of the attack traffic. This campaign uses a script to download and execute an XMRig binary, indicating its goal is resource exploitation.

Meanwhile, the Interactive Access Campaign, from IP 193.142.147[.]209, constitutes 34% of the traffic. This attack bypasses staging servers, opening a reverse shell to the attacker’s IP, suggesting a focus on network infiltration rather than cryptomining.

Understanding the Vulnerability

CVE-2025-55182 is an insecure deserialization vulnerability in React Server Components, carrying a CVSS score of 10.0. This flaw enables attackers to manipulate serialized data, leading to arbitrary code execution.

Affected software versions include React 19.0.0, 19.1.0 to 19.1.1, and 19.2.0, with patched versions being React 19.0.1, 19.1.2, and 19.2.1. Attackers are mainly targeting development ports exposed by misconfigured instances, with ports 443, 80, 3000, 3001, and 3002 being the most vulnerable.

Security teams are urged to update to the latest patched versions of React immediately. If patching is not feasible, network access to development ports should be restricted to mitigate exposure risks.

Conclusion

The exploitation of React Server Components through CVE-2025-55182 highlights the urgency for robust cybersecurity measures. Organizations must prioritize patching and consider network restrictions to safeguard against these escalating threats. Staying informed and proactive is key to defending against such vulnerabilities.

Cyber Security News Tags:, , , , , , , , , , ,

Related Posts

Hackers Accessed Email Account Contains Valid Credentials Hackers Accessed Email Account Contains Valid Credentials Cyber Security News
4M+ Internet-Exposed Systems at Risk From Tunneling Protocol Vulnerabilities 4M+ Internet-Exposed Systems at Risk From Tunneling Protocol Vulnerabilities Cyber Security News
RDP vs SSH Comparison – Features, Protocols, Security, And Use Cases RDP vs SSH Comparison – Features, Protocols, Security, And Use Cases Cyber Security News
Real-Time Threat Intelligence for Proactive Cyber Defense in 2025 Real-Time Threat Intelligence for Proactive Cyber Defense in 2025 Cyber Security News
65% of Leading AI Companies Exposes Verified Secrets Including Keys and Tokens on GitHub 65% of Leading AI Companies Exposes Verified Secrets Including Keys and Tokens on GitHub Cyber Security News
New WhatsApp Scam Alert Tricks Users to Get Complete Access to Your WhatsApp Chats New WhatsApp Scam Alert Tricks Users to Get Complete Access to Your WhatsApp Chats Cyber Security News