Next.js Introduces Automated Scanner to Mitigate React2Shell Vulnerability
In response to the critical React2Shell vulnerability (CVE-2025-66478), the Next.js development team has unveiled a command-line tool named `fix-react2shell-next`. This utility is designed to assist developers in promptly identifying and rectifying affected versions of Next.js and React Server Components (RSC).
Automated Detection and Patching
The `fix-react2shell-next` tool streamlines the remediation process by conducting a comprehensive scan of all `package.json` files within a project. This ensures compatibility across various repository structures, including complex monorepos managed by package managers such as npm, yarn, pnpm, or bun.
By systematically verifying the installed versions of critical packages—namely `next`, `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`—the scanner identifies any instances of the vulnerability. Upon detection, it automatically updates the affected packages to their secure versions as specified in the official GitHub advisory. Subsequently, the tool refreshes the lockfile using the appropriate package manager to ensure the fixes are properly integrated.
For instance, if a project is running a vulnerable Next.js version 15.1.0, the tool will upgrade it directly to the patched 15.1.9 release.
Affected Versions and Recommended Actions
The React2Shell vulnerability impacts multiple versions of Next.js and React RSC packages. Developers utilizing any of the versions listed below are strongly advised to upgrade immediately:
| Package | Affected Version Range | Patched Version |
|———|————————|—————–|
| Next.js | 15.0.0 – 15.0.4 | 15.0.5 |
| | 15.1.0 – 15.1.8 | 15.1.9 |
| | 15.2.0 – 15.2.5 | 15.2.6 |
| | 15.3.0 – 15.3.5 | 15.3.6 |
| | 15.4.0 – 15.4.7 | 15.4.8 |
| | 16.0.0 – 16.0.6 | 16.0.7 |
| React RSC | 19.0.0 | 19.0.1 |
| | 19.1.0 – 19.1.1 | 19.1.2 |
Utilizing the Scanner
Developers can execute the tool directly using `npx`. For an interactive experience that prompts for confirmation before applying changes, the following command can be used:
“`bash
npx fix-react2shell-next
“`
In continuous integration (CI) environments or automated workflows where manual prompts are impractical, the `–fix` flag can be employed to apply patches automatically:
“`bash
npx fix-react2shell-next –fix
“`
For auditing purposes without making immediate changes, the `–dry-run` flag provides a report of potential updates:
“`bash
npx fix-react2shell-next –dry-run
“`
Additionally, the `–json` flag allows for output in JSON format, facilitating integration with other monitoring tools:
“`bash
npx fix-react2shell-next –json
“`
Conclusion
The release of the `fix-react2shell-next` scanner underscores the Next.js team’s commitment to security and developer support. By providing an efficient and automated means to detect and patch the React2Shell vulnerability, this tool empowers developers to safeguard their applications against potential exploits. Immediate adoption of this utility is recommended to ensure the integrity and security of Next.js applications.
