fix-react-2-shell
Advanced tools
Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command
One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.
npx fix-react-2-shell
No AI. No magic. Just deterministic version bumps per the official advisories.
package.json files (handles monorepos)nextreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack| Current Version | Patched Version |
|---|---|
| 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 |
| 15.2.0 – 15.2.5 | 15.2.6 |
| 15.3.0 – 15.3.5 | 15.3.6 |
| 15.4.0 – 15.4.7 | 15.4.8 |
| 15.5.0 – 15.5.6 | 15.5.7 |
| 16.0.0 – 16.0.6 | 16.0.7 |
| 15.x canaries | 15.6.0-canary.58 |
| 16.x canaries | 16.1.0-canary.12 |
| 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5 |
| Current Version | Patched Version |
|---|---|
| 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 |
| 19.2.0 | 19.2.1 |
npx fix-react-2-shell
npx fix-react-2-shell --fix
npx fix-react-2-shell --dry-run
npx fix-react-2-shell --json
🔍 fix-react-2-shell - CVE-2025-66478 vulnerability scanner
đź“‚ Found 3 package.json file(s)
🚨 Found 2 vulnerable file(s):
đź“„ package.json
next: ^15.1.0 → 15.1.9
đź“„ apps/web/package.json
next: ^15.4.3 → 15.4.8
react-server-dom-webpack: 19.1.0 → 19.1.2
🔧 Apply fixes? [Y/n] y
🔧 Applying fixes...
âś“ Updated package.json
âś“ Updated apps/web/package.json
📦 Package manager: pnpm
🔄 Refreshing lockfile...
$ pnpm install
âś… Successfully patched!
Your project is no longer vulnerable to CVE-2025-66478.
Remember to test your app and commit the changes.
The tool automatically finds all package.json files in your project, excluding:
node_modules.next, .turbo, .vercel, .nuxtdist, build, .outputcoverageWorks with npm, yarn, pnpm, and bun workspaces.
Fixing CVE-2025-66478 is purely a version bump - no code changes needed. The vulnerability is in React's flight protocol used by server components. Upgrading to the patched versions closes the RCE vector completely.
AI might help if the upgrade breaks your build, but that's a separate concern from security. This tool does one thing: patches the CVE deterministically.
MIT
FAQs
Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command
The npm package fix-react-2-shell receives a total of 8 weekly downloads. As such, fix-react-2-shell popularity was classified as not popular.
We found that fix-react-2-shell demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Socket's new Alert Details page is designed to surface more context, with a clearer layout, reachability dependency chains, and structured review.
Product
Campaign-level threat intelligence in Socket now shows when active supply chain attacks affect your repositories and packages.
Research
Malicious PyPI package sympy-dev targets SymPy users, a Python symbolic math library with 85 million monthly downloads.