A devoted command-line software, fix-react2shell-next, to assist builders instantly detect and patch the vital “React2Shell” vulnerability (CVE-2025-66478).
This new scanner provides a one-line answer to determine weak variations of Subsequent.js and React Server Elements (RSC). Mechanically apply the required safety updates included within the newest Subsequent.js launch.
Automated Detection and Patching
The software simplifies the remediation course of by recursively scanning all package deal.json information inside a mission.
subsequent.js scanner software
This design ensures it really works successfully throughout each commonplace repositories and complicated monorepos managed by npm, yarn, pnpm, or bun.
In contrast to handbook checks, which could be susceptible to human error, the scanner systematically verifies the put in variations of subsequent, react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack.
As soon as weak packages are recognized, the utility patches them to the right, safe model, as decided by the official GitHub advisory.
It then refreshes the lockfile utilizing the detected package deal supervisor to make sure the repair is correctly locked in.
For instance, it is going to routinely improve a weak Subsequent.js 15.1.0 set up on to the fastened 15.1.9 launch.
The vulnerability impacts a number of launch traces of Subsequent.js and React RSC packages, as reported by GitHub.
Builders operating any model throughout the “Affected” ranges beneath ought to improve instantly.
PackageAffected Model RangePatched VersionNext.js15.0.0 – 15.0.415.0.515.1.0 – 15.1.815.1.915.2.0 – 15.2.515.2.615.3.0 – 15.3.515.3.615.4.0 – 15.4.715.4.816.0.0 – 16.0.616.0.7React RSC19.0.019.0.119.1.0 – 19.1.119.1.2
Tips on how to Use the Scanner
Builders can run the software immediately utilizing npx. For an interactive expertise that asks for affirmation earlier than making modifications, customers can run the usual command.
For steady integration (CI) environments or automated workflows the place prompts usually are not potential, the repair flag forces the software to use patches routinely.
Conversely, groups who wish to audit their mission with out making rapid modifications can use the dry-run flag to see a report of what can be up to date.
A json flag can be accessible for scripting functions, permitting safety groups to pipe the output into different monitoring instruments. To run the interactive repair, execute the next command in your terminal: npx fix-react2shell-next.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
