Hackers used React to mine bitcoin this week

TLDR: UPGRADE REACT VERSIONS 19.0.0 -> 19.2.1 & NEXT.JS >=13.3 IF THEY ARE IN PRODUCTION

Before I tell you ANYTHING else about the React vulnerabilities this week, in case you haven’t already...

UPGRADE REACT VERSIONS 19.0.0 -> 19.2.1 & NEXT.JS >=13.3 IF THEY ARE IN PRODUCTION

On December 3rd, ​a critical security vulnerability was discovered in React Server components​ which reported affected versions 19.0 -> 19.2.0 of:

• ​react-server-dom-webpack​

• ​react-server-dom-parcel​

• ​react-server-dom-turbopack​

Then on December 11th, two new security vulnerabilities were discovered (Denial of service & Source Code Exposure) which affects basically all Next.js versions v13.3 upwards. All three are covered under the ​CVE-2025-55182​ tag.

This vulnerability has a severity score of 10. That is the highest score possible.
That is NO BUENO.

Thought this was important to mention in case any devs this week heard about the first vulnerability, fixed and analyzed any misuse, but haven’t heard about how this problem has expanded.

Here’s all the interesting links I found detailing the issue:

• ​The CVE-2025-55182 record detailing the vulnerability​

• ​Wiz.io’s ultimate analysis of the incidents​

• ​React team’s Dec 3rd blogpost​

• ​React team’s Dec 11th blogpost​

• ​Vercel’s React2Shell original security bulletin​

• ​Vercel’s CVE-2025-55184 and CVE-2025-55183 security bulletin​

• ​Original PoC of React2Shell​

• ​Vercel’s CEO explanation of the exploit​

• ​Moritz Sanft’s explanation (and who showed the first POC)​

Now with all of THAT being said...

You can learn a lot about Frontend Development from this

(I mean, it might sound bad, but understanding why things like this happen and people’s critical opinions on this gives you a lot of info you might not normally run into through doing tutorials).

So how about for today’s issue, we do a FAQ from things I’ve gathered around this incident. This is a long one so feel free to skim, but MAN there’s a lot to learn and unpack here. Starting off with...

How can this happen?

Well... you know how with React you can use Server Functions to communicate between the client and the server? There were major flaws with how React deserialized client-sent data on the server.

(Serialization means how data is transformed for it to be transported or stored. Think of JSON.)

This logic lives in React’s Flight protocol, which is the internal protocol React uses to exchange data between the server and the client. Since the server didn’t safely handle malformed serialized data, things like code execution and source code leaks could happen.

---

FOR THOSE WHO CARE TO UNDERSTAND HOW THIS WORKS TECHNICALLY

The best resources I found that helped me understand what’s going on is from ​Moritz Sanft’s breakdown of the exploit​ & ​Better Stack’s video on the topic breaking it down​.

The TLDR of it is it’s exploiting an oversight on React’s side while making use of a lot of JavaScript’s quirks.

The main exploit on React’s side involves allowing a payload to access properties of objects that aren’t its own. This gave attacker’s access to any object’s prototype, which gives access to a lot of evil shenanigans.

This is only possible because of how JavaScript works. Some of JS’s quirks that this exploit abuses include:

Being able to await object and having them automatically execute if they have a “then” property. Like so: 

const func = () => console.log(”WHY DOES THIS RUN 😱?!”) 
const obj = { something: “something”, then: func} 
await obj -> This prints out “WHY DOES THIS RUN 😱?!”

All JS objects have a prototype. A prototype is how objects can inherit properties and methods from other objects. When you try to access a property of an object, if it fails, it will then try to access the property of its prototype. So you can access the properties of any prototype: 

console.log(({}).__proto__) -> prints out the prototype.

You can execute code by using the Function object, even if it’s just text, as long as you can execute it. 

Function(console.log(”oh no!”))()

You can grab an object’s prototype constructor property to get access to Object’s constructor. You can also grab its prototype constructor to get access to Function’s constructor. And remember, with an instance of Function, you can execute code from just a string. 

So all together, you can do: 

const code = { a: 1 }.__proto__.constructor.constructor 

code(”console.log(’💀’)”)()

All of this info was used together to make the exploit possible. If you’re still confused, I’d say explore some of the resources I linked before, which break it down way more.

---

Once you understand this, it’s an experience to go to the ​original pull request of React to understand how they fixed it.​ Look out for when you see if statements with: “hasOwnProperty.call(moduleExports, metadata[NAME])”.

If you look more closely, it’s to prevent “return moduleExports[metadata[NAME]];” from executing any properties that aren’t in the object. This is what stops bad intended payloads from referencing other object’s properties!

What are people saying about this?

Oooh now here’s where things get juicy. The spiciest talk I saw online on this was ​from ycombinator​. From what I saw, it’s split. Which is good. It forces us to have important talks about the future or architecture of the major frameworks we all use. My favorite comment from the discussion was this one:

---

“We can patch hasOwnProperty and tighten the deserializer, but there is deeper issue. React never really acknowledged that it was building an RPC layer. If you look at actual RPC frameworks like gPRC or even old school SOAP, they all start with schemas, explicit service definitions and a bunch of tooling to prevent boundary confusion. React went the opposite way: the API surface is whatever your bundler can see, and the endpoint is whatever the client asks for. My guess is this won’t be the last time we see security fallout from that design choice. Not because React is sloppy, but because it’s trying to solve a problem category that traditionally requires explicitness, not magic.” - coffeecoders

---

There’s a lot of good insights and info you can get from that whole thread. If there’s anything you don’t understand about it, I say copy-paste a comment thread into your favorite AI and ask it a bunch of questions. Loads you can learn from this (like the difference between server components and SSR or why react has an “implicit RPC”.)

And finally...

What’s the worst that can happen?

Thanks to ​Wiz.io’s deepdive into the incident​, we know bad actors used these exploits to:

• Use the server to cryptomine by running shell scripts.

• Scrape cloud and application secrets.

• Download all of your source code.

• Keep all your info as ransom

• And anything else you can think of! It’s code execution after all.

I’m serious, this exploit is WILD. The thing I’m most impacted by is just... how simple the fix seems to be despite it all.

Wondering how many developers it affected this week… 🤔

Aaaanyway, please, keep safe out there and remember to UPDATE YOUR REACT!!!

Don’t let hackers use your servers for bitcoin!!!

And have a wonderful weekend!