Fix-react2shell-next is a specialized command-line tool designed to assist developers in quickly identifying and fixing the important “React2Shell” vulnerability (CVE-2025-66478).
This new scanner provides a one-line way to find Next.js and React Server Components (RSC) versions that are vulnerable. Apply the necessary security updates that are part of the most recent Next.js release automatically.
By recursively analyzing every package.json file in a project, the tool streamlines the cleanup process. This design guarantees that it functions well in both common repositories and intricate monorepos run by yarn, pnpm, bun, or npm.
The scanner methodically confirms the installed versions of next, react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack, in contrast to manual checks, which are subject to human mistake. The utility fixes vulnerable packages to the appropriate, secure version based on the official GitHub advice.
To make sure the repair is correctly locked in, it then uses the detected package manager to refresh the lockfile.
For instance, a vulnerable Next.js 15.1.0 installation will be immediately upgraded to the updated 15.1.9 release. According to GitHub, the issue impacts certain Next.js and React RSC package release lines.
Developers should update right away if they are using any version under the “Affected” ranges listed below. Developers can use npx to run the tool directly. Users can execute the usual command for an interactive experience that requests confirmation before making changes.
The fix flag compels the tool to apply patches automatically in continuous integration (CI) environments or automated processes where prompts are not feasible. On the other hand, teams can utilize the dry-run flag to view a report on what would be changed if they wish to audit their project without making any changes right away.
Security teams can pipe the output into other monitoring tools by using the json flag, which is also available for scripting reasons.