Security News
crates.io Ships Security Tab and Tightens Publishing Controls
crates.io adds a Security tab backed by RustSec advisories and narrows trusted publishing paths to reduce common CI publishing risks.
By Sarah Gooding -  Jan 27, 2026
🚀 Launch Week Day 5:Introducing Immutable Scans.Learn More →
fix-react2shell-next
Advanced tools
fix-react2shell-next
Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command
fix-react2shell-next
One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.
npx fix-react2shell-next
Deterministic version bumps per the official advisories.
What it does
- Recursively scans all
package.jsonfiles (handles monorepos) - Checks for vulnerable versions of:
nextreact-server-dom-webpackreact-server-dom-parcelreact-server-dom-turbopack
- Patches to the correct fixed version based on your current version
- Refreshes your lockfile with the detected package manager
Affected Versions
Next.js
| Current Version | Patched Version |
|---|---|
| 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 |
| 15.2.0 – 15.2.5 | 15.2.6 |
| 15.3.0 – 15.3.5 | 15.3.6 |
| 15.4.0 – 15.4.7 | 15.4.8 |
| 15.5.0 – 15.5.6 | 15.5.7 |
| 16.0.0 – 16.0.6 | 16.0.7 |
| 15.x canaries | 15.6.0-canary.58 |
| 16.x canaries | 16.1.0-canary.12 |
| 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5 |
React RSC Packages
| Current Version | Patched Version |
|---|---|
| 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 |
| 19.2.0 | 19.2.1 |
Usage
Check & Fix (Interactive)
npx fix-react2shell-next
Auto-fix (CI / Non-interactive)
npx fix-react2shell-next --fix
Check Only (Dry Run)
npx fix-react2shell-next --dry-run
JSON Output (for scripting)
npx fix-react2shell-next --json
Example Output
🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner
đź“‚ Found 3 package.json file(s)
🚨 Found 2 vulnerable file(s):
đź“„ package.json
next: ^15.1.0 → 15.1.9
đź“„ apps/web/package.json
next: ^15.4.3 → 15.4.8
react-server-dom-webpack: 19.1.0 → 19.1.2
🔧 Apply fixes? [Y/n] y
🔧 Applying fixes...
âś“ Updated package.json
âś“ Updated apps/web/package.json
📦 Package manager: pnpm
🔄 Refreshing lockfile...
$ pnpm install
âś… Patches applied!
Remember to test your app and commit the changes.
Monorepo Support
The tool automatically finds all package.json files in your project, excluding:
node_modules.next,.turbo,.vercel,.nuxtdist,build,.outputcoverage
Works with npm, yarn, pnpm, and bun workspaces.
References
License
MIT
FAQs
Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command
The npm package fix-react2shell-next receives a total of 87,804 weekly downloads. As such, fix-react2shell-next popularity was classified as popular.
We found that fix-react2shell-next demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 06 Dec 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Malicious Chrome Extension Performs Hidden Affiliate Hijacking
A Chrome extension claiming to hide Amazon ads was found secretly hijacking affiliate links, replacing creators’ tags with its own without user consent.
By Kush Pandya -  Jan 27, 2026
Security News
curl Shuts Down Bug Bounty Program After Flood of AI Slop Reports
A surge of AI-generated vulnerability reports has pushed open source maintainers to rethink bug bounties and tighten security disclosure processes.
By Sarah Gooding -  Jan 23, 2026