[Warning]React vulnerability.

[satscraper]

Security Alliance warned about drainers that exploit React ^{tools used by developers to build their front-ends and apps} vulnerabilities to empty crypto wallets.

The most alarming issue is that drainers can be uploaded into legitimate crypto-related websites.

I know that Web3 wallets either already support or have started to add support for BTC. The latest example is MetaMask.

In my view, when dealing with crypto, the best practice is not to use Web3 wallets at all, because even if you have  hardware wallet connected to compromised sites, they can display fake transaction prompts, and you may sign them in hurry.

[ABCbits]

I guess some website doesn't have dedicated team to update their website quickly in case like this. Looking at https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components, it seems React developer release the update since December 3, 2025.

[Mia Chloe]

I guess some website doesn't have dedicated team to update their website quickly in case like this. Looking at https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components, it seems React developer release the update since December 3, 2025.

It makes sense that they've fixed it already. Basically, open source softwares really get a quick fix compared to closed source sometimes owing to the fact that the kinda have a bigger fix team since basically any fine user can notice issues like this and contact them or fix them on his own.

I believe those using any older versions will have to upgrade to the latest one. The only problem with this is sometimes they may not get aware on time.

[joniboini]

I believe expecting a day or two (or hours) of an update for a major security fix isn't a big demand, especially if your service is used by many. Judging from what I read, though, there's no perfect way to protect ourselves from a major exploit like this. Keeping up to date with the latest security news is a must.

[NotATether]

And that's why folks you must never use NodeJS for developing crypto projects.

I used to write crypto tools in languages such as Python. However, I don't really do that anymore as old, boring languages such as PHP are still very much robust and hardened from the majority of these CVEs.

[Cricktor]

Hey satscraper, would you mind to correct your typo in your topic's title? Correct spelling makes searches with specific keywords in topic titles a lot more successful.

[Warning]React valnurability.  should rather be  [Warning]React vulnerability.

[satscraper]

Hey satscraper, would you mind to correct your typo in your topic's title? Correct spelling makes searches with specific keywords in topic titles a lot more successful.

[Warning]React valnurability.  should rather be  [Warning]React vulnerability.

Thanks, I have corrected those typos.

And that's why folks you must never use NodeJS for developing crypto projects.

You’re probably right, but Node.js itself is not vulnerable to CVE‑2025‑55182. It only becomes vulnerable when it’s configured to run the server side of React.

 That said, because many sites use Next.js  to run React on their servers, bots began attacking those sites almost immediately after the vulnerability was disclosed. These attacks were made easier by the fact that even the relatively short https request was sufficient to breach the server and deliver the malicious payload for execution.