Package Exports
- fix-react2shell-next/bin/cli.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (fix-react2shell-next) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
fix-react2shell-next
One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.
npx fix-react2shell-nextDeterministic version bumps per the official advisories.
What it does
- Recursively scans all
package.jsonfiles (handles monorepos) - Checks for vulnerable versions of:
nextreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
- Patches to the correct fixed version based on your current version
- Refreshes your lockfile with the detected package manager
Affected Versions
Next.js
| Current Version | Patched Version |
|---|---|
| 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 |
| 15.2.0 – 15.2.5 | 15.2.6 |
| 15.3.0 – 15.3.5 | 15.3.6 |
| 15.4.0 – 15.4.7 | 15.4.8 |
| 15.5.0 – 15.5.6 | 15.5.7 |
| 16.0.0 – 16.0.6 | 16.0.7 |
| 15.x canaries | 15.6.0-canary.58 |
| 16.x canaries | 16.1.0-canary.12 |
| 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5 |
React RSC Packages
| Current Version | Patched Version |
|---|---|
| 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 |
| 19.2.0 | 19.2.1 |
Usage
Check & Fix (Interactive)
npx fix-react2shell-nextAuto-fix (CI / Non-interactive)
npx fix-react2shell-next --fixCheck Only (Dry Run)
npx fix-react2shell-next --dry-runJSON Output (for scripting)
npx fix-react2shell-next --jsonExample Output
🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner
📂 Found 3 package.json file(s)
🚨 Found 2 vulnerable file(s):
📄 package.json
next: ^15.1.0 → 15.1.9
📄 apps/web/package.json
next: ^15.4.3 → 15.4.8
react-server-dom-webpack: 19.1.0 → 19.1.2
🔧 Apply fixes? [Y/n] y
🔧 Applying fixes...
✓ Updated package.json
✓ Updated apps/web/package.json
📦 Package manager: pnpm
🔄 Refreshing lockfile...
$ pnpm install
✅ Patches applied!
Remember to test your app and commit the changes.Monorepo Support
The tool automatically finds all package.json files in your project, excluding:
node_modules.next,.turbo,.vercel,.nuxtdist,build,.outputcoverage
Works with npm, yarn, pnpm, and bun workspaces.
References
License
MIT