Hackers Target React Server Components for Cyber Attacks

Hackers Target React Server Components for Cyber Attacks

Posted on By CWS

Key Points

  • Exploitation of React Server Components vulnerability, CVE-2025-55182, is escalating.
  • Hackers are deploying cryptominers and gaining remote access through this flaw.
  • Security teams are advised to apply patches immediately to mitigate risks.

Escalating Threats to React Server Components

In the wake of the disclosure of CVE-2025-55182, a critical vulnerability in React Server Components, hackers have intensified their attack strategies. This flaw has now become the focal point for high-volume cyber attacks aimed at deploying cryptominers and establishing persistent remote access.

Between January 26 and February 2, 2026, data collected by GreyNoise revealed that threat actors are aggressively exploiting this vulnerability. A total of 1,083 unique sources attempted to exploit this flaw, with the majority of attacks originating from just two IP addresses, suggesting automated large-scale tactics.

Analyzing the Attack Campaigns

The attack campaigns target React Server Components by exploiting a deserialization flaw, allowing unauthenticated remote code execution through a malicious HTTP POST request. Two main attack vectors have been identified, each with distinct objectives.

The first, identified as the Cryptomining Campaign, originates from IP 87.121.84[.]24 and accounts for 22% of the attack traffic. This campaign uses a script to download and execute an XMRig binary, indicating its goal is resource exploitation.

Meanwhile, the Interactive Access Campaign, from IP 193.142.147[.]209, constitutes 34% of the traffic. This attack bypasses staging servers, opening a reverse shell to the attacker’s IP, suggesting a focus on network infiltration rather than cryptomining.

Understanding the Vulnerability

CVE-2025-55182 is an insecure deserialization vulnerability in React Server Components, carrying a CVSS score of 10.0. This flaw enables attackers to manipulate serialized data, leading to arbitrary code execution.

Affected software versions include React 19.0.0, 19.1.0 to 19.1.1, and 19.2.0, with patched versions being React 19.0.1, 19.1.2, and 19.2.1. Attackers are mainly targeting development ports exposed by misconfigured instances, with ports 443, 80, 3000, 3001, and 3002 being the most vulnerable.

Security teams are urged to update to the latest patched versions of React immediately. If patching is not feasible, network access to development ports should be restricted to mitigate exposure risks.

Conclusion

The exploitation of React Server Components through CVE-2025-55182 highlights the urgency for robust cybersecurity measures. Organizations must prioritize patching and consider network restrictions to safeguard against these escalating threats. Staying informed and proactive is key to defending against such vulnerabilities.

Cyber Security News Tags:, , , , , , , , , , ,

Related Posts

New DNS Malware Detour Dog Delivers Strela Stealer Using DNS TXT Records New DNS Malware Detour Dog Delivers Strela Stealer Using DNS TXT Records Cyber Security News
Next.js Released a Scanner to Detect and Update Apps Impacted by React2Shell Vulnerability Next.js Released a Scanner to Detect and Update Apps Impacted by React2Shell Vulnerability Cyber Security News
Dark Web Job Market Evolved Dark Web Job Market Evolved Cyber Security News
Microsoft Teams Introduces New Feature to Boost Performance and Startup Speed Microsoft Teams Introduces New Feature to Boost Performance and Startup Speed Cyber Security News
OpenAI Unveils Faster GPT-5.4 Mini and Nano Models OpenAI Unveils Faster GPT-5.4 Mini and Nano Models Cyber Security News
Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025 Microsoft Confirms Recent Updates Cause Login Issues on Windows 11 24H2, 25H2, and Windows Server 2025 Cyber Security News