Vercel has released a new command-line tool, fix-react2shell-next, to help developers quickly detect and patch CVE-2025-66478, a critical remote code execution (RCE) vulnerability dubbed “React 2 Shell” that affects Next.js and React Server Components (RSC) apps.
Available via npx fix-react2shell-next, the tool recursively scans projects, identifies vulnerable dependencies, and applies precise version bumps based on official advisories from the Next.js team.
This comes amid heightened scrutiny on supply chain risks in JavaScript ecosystems.
The vulnerability allows attackers to execute arbitrary code on servers by exploiting malformed RSC payloads in libraries like react-server-dom-webpack.
It impacts thousands of production apps using Next.js versions 15.x and 16.x canaries, as well as related RSC packages.
No CVSS score is published yet, but the RCE nature makes it severe, prompting urgent patches.
Affected Versions and Patches
The tool targets specific vulnerable ranges, ensuring deterministic upgrades without breaking changes.
Here’s a breakdown:
| Package | Vulnerable Versions | Patched Version |
|---|---|---|
| Next.js | 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 | |
| 15.2.0 – 15.2.5 | 15.2.6 | |
| 15.3.0 – 15.3.5 | 15.3.6 | |
| 15.4.0 – 15.4.7 | 15.4.8 | |
| 15.5.0 – 15.5.6 | 15.5.7 | |
| 16.0.0 – 16.0.6 | 16.0.7 | |
| 15.x canaries | 15.6.0-canary.58 | |
| 16.x canaries | 16.1.0-canary.12 | |
| 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or 15.0.5 | |
| react-server-dom-webpack | 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 | |
| react-server-dom-parcel | 19.2.0 | 19.2.1 |
| react-server-dom-turbopack | (Similar ranges) | Per advisory |
How It Works and Usage
Hosted on Vercel Labs, the open-source CLI (MIT-licensed) excels in monorepos.
It scans all package.json files, skips directories such as node_modules, .next, dist, and build outputs, and then detects package managers (npm, yarn, pnpm, and bun).
Run interactively for scans and prompts:
npx fix-react2shell-nextOutput example:
🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner
📂 Found 3 package.json file(s)
🚨 Found 2 vulnerable file(s):
📄 package.json: next: ^15.1.0 → 15.1.9
📄 apps/web/package.json: next: ^15.4.3 → 15.4.8, react-server-dom-webpack: 19.1.0 → 19.1.2
🔧 Apply fixes? [Y/n] y
✅ Patches applied! Run pnpm install.Options include –fix (auto-patch), –dry-run (check only), –json (scriptable). Post-patch, refresh lockfiles and test apps.
This streamlined fix reduces manual auditing time, vital for CI/CD pipelines. Developers should commit changes and monitor for exploits.
Vercel urges immediate upgrades amid rising RCE threats in React ecosystems.
