fix-react-2-shell
Advanced tools
Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command
One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.
npx react-2-shell
No AI. No magic. Just deterministic version bumps per the official advisories.
package.json files (handles monorepos)nextreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack| Current Version | Patched Version |
|---|---|
| 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 |
| 15.2.0 – 15.2.5 | 15.2.6 |
| 15.3.0 – 15.3.5 | 15.3.6 |
| 15.4.0 – 15.4.7 | 15.4.8 |
| 15.5.0 – 15.5.6 | 15.5.7 |
| 16.0.0 – 16.0.6 | 16.0.7 |
| 15.x canaries | 15.6.0-canary.58 |
| 16.x canaries | 16.1.0-canary.12 |
| 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5 |
| Current Version | Patched Version |
|---|---|
| 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 |
| 19.2.0 | 19.2.1 |
npx react-2-shell
npx react-2-shell --fix
npx react-2-shell --dry-run
npx react-2-shell --json
🔍 react-2-shell - CVE-2025-66478 vulnerability scanner
📂 Found 3 package.json file(s)
🚨 Found 2 vulnerable file(s):
📄 package.json
next: ^15.1.0 → 15.1.9
📄 apps/web/package.json
next: ^15.4.3 → 15.4.8
react-server-dom-webpack: 19.1.0 → 19.1.2
🔧 Apply fixes? [Y/n] y
🔧 Applying fixes...
✓ Updated package.json
✓ Updated apps/web/package.json
📦 Package manager: pnpm
🔄 Refreshing lockfile...
$ pnpm install
✅ Successfully patched!
Your project is no longer vulnerable to CVE-2025-66478.
Remember to test your app and commit the changes.
The tool automatically finds all package.json files in your project, excluding:
node_modules.next, .turbo, .vercel, .nuxtdist, build, .outputcoverageWorks with npm, yarn, pnpm, and bun workspaces.
Fixing CVE-2025-66478 is purely a version bump - no code changes needed. The vulnerability is in React's flight protocol used by server components. Upgrading to the patched versions closes the RCE vector completely.
AI might help if the upgrade breaks your build, but that's a separate concern from security. This tool does one thing: patches the CVE deterministically.
# 1. Publish main package first
npm publish
# 2. Publish alias packages (all depend on main)
cd packages/fix-react-2-shelll && npm publish # typo (extra 'l')
cd ../fix-react-two-shell && npm publish # alternate spelling
cd ../react-2-shell && npm publish # short name
cd ../react-two-shell && npm publish # short name alternate
The alias packages depend on the main package, so publish order matters.
MIT
FAQs
Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command
The npm package fix-react-2-shell receives a total of 6 weekly downloads. As such, fix-react-2-shell popularity was classified as not popular.
We found that fix-react-2-shell demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Chrome 144 introduces the Temporal API, a modern approach to date and time handling designed to fix long-standing issues with JavaScript’s Date object.
Research
Five coordinated Chrome extensions enable session hijacking and block security controls across enterprise HR and ERP platforms.
Research
Node.js patched a crash bug where AsyncLocalStorage could cause stack overflows to bypass error handlers and terminate production servers.