fix-react-2-shell
Advanced tools
Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command
One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.
npx react-2-shell
No AI. No magic. Just deterministic version bumps per the official advisories.
package.json files (handles monorepos)nextreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack| Current Version | Patched Version |
|---|---|
| 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 |
| 15.2.0 – 15.2.5 | 15.2.6 |
| 15.3.0 – 15.3.5 | 15.3.6 |
| 15.4.0 – 15.4.7 | 15.4.8 |
| 15.5.0 – 15.5.6 | 15.5.7 |
| 16.0.0 – 16.0.6 | 16.0.7 |
| 15.x canaries | 15.6.0-canary.58 |
| 16.x canaries | 16.1.0-canary.12 |
| 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5 |
| Current Version | Patched Version |
|---|---|
| 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 |
| 19.2.0 | 19.2.1 |
npx react-2-shell
npx react-2-shell --fix
npx react-2-shell --dry-run
npx react-2-shell --json
🔍 react-2-shell - CVE-2025-66478 vulnerability scanner
📂 Found 3 package.json file(s)
🚨 Found 2 vulnerable file(s):
📄 package.json
next: ^15.1.0 → 15.1.9
📄 apps/web/package.json
next: ^15.4.3 → 15.4.8
react-server-dom-webpack: 19.1.0 → 19.1.2
🔧 Apply fixes? [Y/n] y
🔧 Applying fixes...
✓ Updated package.json
✓ Updated apps/web/package.json
📦 Package manager: pnpm
🔄 Refreshing lockfile...
$ pnpm install
✅ Successfully patched!
Your project is no longer vulnerable to CVE-2025-66478.
Remember to test your app and commit the changes.
The tool automatically finds all package.json files in your project, excluding:
node_modules.next, .turbo, .vercel, .nuxtdist, build, .outputcoverageWorks with npm, yarn, pnpm, and bun workspaces.
Fixing CVE-2025-66478 is purely a version bump - no code changes needed. The vulnerability is in React's flight protocol used by server components. Upgrading to the patched versions closes the RCE vector completely.
AI might help if the upgrade breaks your build, but that's a separate concern from security. This tool does one thing: patches the CVE deterministically.
# 1. Publish main package first
npm publish
# 2. Publish alias packages (all depend on main)
cd packages/fix-react-2-shelll && npm publish # typo (extra 'l')
cd ../fix-react-two-shell && npm publish # alternate spelling
cd ../react-2-shell && npm publish # short name
cd ../react-two-shell && npm publish # short name alternate
The alias packages depend on the main package, so publish order matters.
MIT
FAQs
Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command
The npm package fix-react-2-shell receives a total of 4 weekly downloads. As such, fix-react-2-shell popularity was classified as not popular.
We found that fix-react-2-shell demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
The U.S. government is rolling back software supply chain mandates, shifting from mandatory SBOMs and attestations to a risk-based approach.
Security News
crates.io adds a Security tab backed by RustSec advisories and narrows trusted publishing paths to reduce common CI publishing risks.
Research
/Security News
A Chrome extension claiming to hide Amazon ads was found secretly hijacking affiliate links, replacing creators’ tags with its own without user consent.