Hi everyone,
I ran the command npx fix-react2shell-next mentioned in the recent Vercel blog to check for vulnerabilities. After running it, I got this output:
Found 1 vulnerable file(s):
package.json
next: 15.4.8 -> 15.4.10 [CVE-2025-55184, CVE-2025-55183, CVE-2025-67779]
Apply fixes? [Y/n] Y
The tool successfully updated my Next.js version, but my react and react-dom versions are still the same (19.1.0).
My question:
Do I need to update react and react-dom manually, or does this tool only handle Next.js updates? What’s the recommended approach here?
Upgrading Next alone is ok to make you safe from the React2Shell exploit
Next.js bundles React internally on the server-side, and that contains the portion of React that had the vulnerability, so upgrading Next is all that’s needed.
It’s possible to have a Next.js app that has no react dependency in its package.json at all, which is why two separate CVEs were issued: one for react, and one for the bundled version of React inside Next.js.
Modern developer tooling requires the package.json to specify all dependencies that are referenced in code, so having react in your package.json is normal, but the version that actually gets used on the server is controlled by Next.
I have one more doubt — what if I manually update react and react-dom to the patched versions anyway? Would that cause any issues or is it completely optional since Next already bundles the secure version internally?
Also, I’m using several other React-based npm packages in my project, such as:
Is there a recommended way to confirm whether all these third-party packages are safe from the current React2Shell vulnerability, or if any of them require updates as well?