fix-react2shell-next

One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.

npx fix-react2shell-next

Deterministic version bumps per the official advisories.

What it does

1. Recursively scans all package.json files (handles monorepos)
2. Checks for vulnerable versions of:
   • next
   • react-server-dom-webpack
   • react-server-dom-parcel
   • react-server-dom-turbopack
3. Patches to the correct fixed version based on your current version
4. Refreshes your lockfile with the detected package manager

Affected Versions

Next.js

React RSC Packages

Usage

Check & Fix (Interactive)

npx fix-react2shell-next

Auto-fix (CI / Non-interactive)

npx fix-react2shell-next --fix

Check Only (Dry Run)

npx fix-react2shell-next --dry-run

JSON Output (for scripting)

npx fix-react2shell-next --json

Example Output

🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner

📂 Found 3 package.json file(s)

🚨 Found 2 vulnerable file(s):

  📄 package.json
     next: ^15.1.0 → 15.1.9

  📄 apps/web/package.json
     next: ^15.4.3 → 15.4.8
     react-server-dom-webpack: 19.1.0 → 19.1.2

🔧 Apply fixes? [Y/n] y

🔧 Applying fixes...

   ✓ Updated package.json
   ✓ Updated apps/web/package.json

📦 Package manager: pnpm
🔄 Refreshing lockfile...

$ pnpm install

✅ Patches applied!
   Remember to test your app and commit the changes.

Monorepo Support

The tool automatically finds all package.json files in your project, excluding:

• node_modules
• .next, .turbo, .vercel, .nuxt
• dist, build, .output
• coverage

Works with npm, yarn, pnpm, and bun workspaces.

References

• GitHub Advisory GHSA-9qr9-h5gf-34mp
• Next.js Security Advisory
• React Security Advisory

License

MIT