fix-react-2-shell

v1.0.6

Published

14 days ago

Fix the React 2 Shell vulnerability (CVE-2025-66478) in Next.js apps with one command

0High
0Medium
0Low

allen-vercel

nextjs react security vulnerability cve rce fix patch

react-2-shell

One command to fix CVE-2025-66478 (React 2 Shell RCE) in your Next.js / React RSC app.

npx react-2-shell

No AI. No magic. Just deterministic version bumps per the official advisories.

What it does

Recursively scans all package.json files (handles monorepos)
Checks for vulnerable versions of:
- next
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
Patches to the correct fixed version based on your current version
Refreshes your lockfile with the detected package manager

Affected Versions

Next.js

| Current Version | Patched Version | |-----------------|-----------------| | 15.0.0 – 15.0.4 | 15.0.5 | | 15.1.0 – 15.1.8 | 15.1.9 | | 15.2.0 – 15.2.5 | 15.2.6 | | 15.3.0 – 15.3.5 | 15.3.6 | | 15.4.0 – 15.4.7 | 15.4.8 | | 15.5.0 – 15.5.6 | 15.5.7 | | 16.0.0 – 16.0.6 | 16.0.7 | | 15.x canaries | 15.6.0-canary.58 | | 16.x canaries | 16.1.0-canary.12 | | 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or upgrade to 15.0.5 |

React RSC Packages

| Current Version | Patched Version | |-----------------|-----------------| | 19.0.0 | 19.0.1 | | 19.1.0, 19.1.1 | 19.1.2 | | 19.2.0 | 19.2.1 |

Usage

Check & Fix (Interactive)

npx react-2-shell

Auto-fix (CI / Non-interactive)

npx react-2-shell --fix

Check Only (Dry Run)

npx react-2-shell --dry-run

JSON Output (for scripting)

npx react-2-shell --json

Example Output

🔍 react-2-shell - CVE-2025-66478 vulnerability scanner

📂 Found 3 package.json file(s)

🚨 Found 2 vulnerable file(s):

  📄 package.json
     next: ^15.1.0 → 15.1.9

  📄 apps/web/package.json
     next: ^15.4.3 → 15.4.8
     react-server-dom-webpack: 19.1.0 → 19.1.2

🔧 Apply fixes? [Y/n] y

🔧 Applying fixes...

   ✓ Updated package.json
   ✓ Updated apps/web/package.json

📦 Package manager: pnpm
🔄 Refreshing lockfile...

$ pnpm install

✅ Successfully patched!
   Your project is no longer vulnerable to CVE-2025-66478.
   Remember to test your app and commit the changes.

Monorepo Support

The tool automatically finds all package.json files in your project, excluding:

node_modules
.next, .turbo, .vercel, .nuxt
dist, build, .output
coverage

Works with npm, yarn, pnpm, and bun workspaces.

Why No AI?

Fixing CVE-2025-66478 is purely a version bump - no code changes needed. The vulnerability is in React's flight protocol used by server components. Upgrading to the patched versions closes the RCE vector completely.

AI might help if the upgrade breaks your build, but that's a separate concern from security. This tool does one thing: patches the CVE deterministically.

Publishing

# 1. Publish main package first
npm publish

# 2. Publish alias packages (all depend on main)
cd packages/fix-react-2-shelll && npm publish   # typo (extra 'l')
cd ../fix-react-two-shell && npm publish        # alternate spelling
cd ../react-2-shell && npm publish              # short name
cd ../react-two-shell && npm publish            # short name alternate

The alias packages depend on the main package, so publish order matters.

References

License

MIT