Vercel has released a new command-line tool, fix-react2shell-next, to help developers quickly detect and patch CVE-2025-66478, a critical remote code execution (RCE) vulnerability dubbed “React 2 Shell” that affects Next.js and React Server Components (RSC) apps.
Available via npx fix-react2shell-next, the tool recursively scans projects, identifies vulnerable dependencies, and applies precise version bumps based on official advisories from the Next.js team.
This comes amid heightened scrutiny on supply chain risks in JavaScript ecosystems.
The vulnerability allows attackers to execute arbitrary code on servers by exploiting malformed RSC payloads in libraries like react-server-dom-webpack.
It impacts thousands of production apps using Next.js versions 15.x and 16.x canaries, as well as related RSC packages.
No CVSS score is published yet, but the RCE nature makes it severe, prompting urgent patches.
The tool targets specific vulnerable ranges, ensuring deterministic upgrades without breaking changes.
Here’s a breakdown:
| Package | Vulnerable Versions | Patched Version |
|---|---|---|
| Next.js | 15.0.0 – 15.0.4 | 15.0.5 |
| 15.1.0 – 15.1.8 | 15.1.9 | |
| 15.2.0 – 15.2.5 | 15.2.6 | |
| 15.3.0 – 15.3.5 | 15.3.6 | |
| 15.4.0 – 15.4.7 | 15.4.8 | |
| 15.5.0 – 15.5.6 | 15.5.7 | |
| 16.0.0 – 16.0.6 | 16.0.7 | |
| 15.x canaries | 15.6.0-canary.58 | |
| 16.x canaries | 16.1.0-canary.12 | |
| 14.3.0-canary.77+ | Downgrade to 14.3.0-canary.76 or 15.0.5 | |
| react-server-dom-webpack | 19.0.0 | 19.0.1 |
| 19.1.0, 19.1.1 | 19.1.2 | |
| react-server-dom-parcel | 19.2.0 | 19.2.1 |
| react-server-dom-turbopack | (Similar ranges) | Per advisory |
Hosted on Vercel Labs, the open-source CLI (MIT-licensed) excels in monorepos.
It scans all package.json files, skips directories such as node_modules, .next, dist, and build outputs, and then detects package managers (npm, yarn, pnpm, and bun).
Run interactively for scans and prompts:
npx fix-react2shell-nextOutput example:
🔍 fix-react2shell-next - CVE-2025-66478 vulnerability scanner
📂 Found 3 package.json file(s)
🚨 Found 2 vulnerable file(s):
📄 package.json: next: ^15.1.0 → 15.1.9
📄 apps/web/package.json: next: ^15.4.3 → 15.4.8, react-server-dom-webpack: 19.1.0 → 19.1.2
🔧 Apply fixes? [Y/n] y
✅ Patches applied! Run pnpm install.Options include –fix (auto-patch), –dry-run (check only), –json (scriptable). Post-patch, refresh lockfiles and test apps.
This streamlined fix reduces manual auditing time, vital for CI/CD pipelines. Developers should commit changes and monitor for exploits.
Vercel urges immediate upgrades amid rising RCE threats in React ecosystems.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…