fix-react2shell

A CLI tool to detect and fix the critical CVE-2025-55182 (React2Shell) vulnerability in React Server Components and Next.js applications.

The Vulnerability

CVE-2025-55182 is a critical (CVSS 10.0) unauthenticated remote code execution vulnerability affecting:

- React Server DOM packages (versions 19.0.0, 19.1.0, 19.1.1, 19.2.0)
- Next.js (versions 14.3.0-canary.77 through unpatched 15.x and 16.x)

The vulnerability is an unsafe deserialization flaw in the React Server Components Flight protocol. Exploitation requires only a crafted HTTP request, and public exploit code is available.

There is no workaround — upgrading to a patched version is required.

$3

- React Official Advisory
- Next.js Security Advisory
- Vercel Summary

Installation

$3

``bash
npx @amirmalek/fix-react2shell
`

$3

`bash
git clone https://github.com/amir-malek/react-cve-2025-55182.git
cd react-cve-2025-55182
node fix-react2shell.js
`

$3

`bash
curl -O https://raw.githubusercontent.com/amir-malek/react-cve-2025-55182/main/fix-react2shell.js
node fix-react2shell.js
`

Usage

Navigate to your React/Next.js project directory and run:

`bash


Dry-run mode (default) - shows what would be upgraded

npx @amirmalek/fix-react2shell

Actually perform the upgrades

npx @amirmalek/fix-react2shell --fix

Show detailed version information

npx @amirmalek/fix-react2shell --verbose

Show help

npx @amirmalek/fix-react2shell --help
`

Example Output

`
╔══════════════════════════════════════════════════════════════╗
║ CVE-2025-55182 (React2Shell) Vulnerability Scanner ║
╚══════════════════════════════════════════════════════════════╝

Package manager: yarn
Project: my-nextjs-app

⚠ Found 1 vulnerable package(s):

✗ next
Current: 15.3.5 → Safe: 15.3.7

────────────────────────────────────────────────────────────
DRY RUN MODE - No changes made.
Run with --fix to upgrade packages.

Command that would be run:
yarn add next@15.3.7
`

Features

- Smart Detection — Only flags actually vulnerable versions, not all React 19 projects
- Multi-Package Manager Support — Automatically detects and uses npm, yarn, or pnpm
- Safe by Default — Runs in dry-run mode unless --fix is explicitly passed
- Zero Dependencies — Uses only Node.js built-in modules
- Portable — Works in any project directory

Vulnerable Versions

$3

| Package | Vulnerable | Safe |
|---------|-----------|------|
| react-server-dom-webpack | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| react-server-dom-parcel | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |
| react-server-dom-turbopack` | 19.0.0, 19.1.0, 19.1.1, 19.2.0 | 19.0.1, 19.1.2, 19.2.1 |

$3

| Branch | Safe Version |
|--------|-------------|
| 15.0.x | 15.0.5 |
| 15.1.x | 15.1.9 |
| 15.2.x | 15.2.6 |
| 15.3.x | 15.3.6 |
| 15.4.x | 15.4.8 |
| 15.5.x | 15.5.7 |
| 16.0.x | 16.0.7 |

After Upgrading

Once you have patched your versions and redeployed your application, it is strongly recommended to:

1. Rotate all application secrets (API keys, database credentials, JWT secrets, etc.)
2. Review application logs for any signs of prior exploitation
3. Audit your infrastructure if you suspect compromise

License

MIT

Contributing

Issues and pull requests are welcome at github.com/amir-malek/react-cve-2025-55182.