One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.
npx fix-react2shell-nextDeterministic version bumps per the official advisories.
- Recursively scans all
package.jsonfiles (handles monorepos) - Checks for vulnerable versions of:
nextreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
- Patches to the correct fixed version based on your current version
- Refreshes your lockfile with the detected package manager
| Current Version | Patched Version |
|---|---|
| 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 |
| 15.2.0 – 15.2.5 | 15.2.6 |
| 15.3.0 – 15.3.5 | 15.3.6 |
| 15.4.0 – 15.4.7 | 15.4.8 |
| 15.5.0 – 15.5.6 | 15.5.7 |
| 16.0.0 – 16.0.6 | 16.0.7 |
| 15.x canaries | 15.6.0-canary.58 |
| 16.x canaries | 16.1.0-canary.12 |
| 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5 |
| Current Version | Patched Version |
|---|---|
| 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 |
| 19.2.0 | 19.2.1 |
npx fix-react2shell-nextnpx fix-react2shell-next --fixnpx fix-react2shell-next --dry-runnpx fix-react2shell-next --json🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner
📂 Found 3 package.json file(s)
🚨 Found 2 vulnerable file(s):
📄 package.json
next: ^15.1.0 → 15.1.9
📄 apps/web/package.json
next: ^15.4.3 → 15.4.8
react-server-dom-webpack: 19.1.0 → 19.1.2
🔧 Apply fixes? [Y/n] y
🔧 Applying fixes...
✓ Updated package.json
✓ Updated apps/web/package.json
📦 Package manager: pnpm
🔄 Refreshing lockfile...
$ pnpm install
✅ Patches applied!
Remember to test your app and commit the changes.
The tool automatically finds all package.json files in your project, excluding:
node_modules.next,.turbo,.vercel,.nuxtdist,build,.outputcoverage
Works with npm, yarn, pnpm, and bun workspaces.
MIT