CRITICAL Next.js Security Alert: Patch 'React2Shell' RCE Now

Source: Dev.to

Impact

• Complete server compromise, including data theft and system takeover.

The Immediate Patch Plan (3 Steps)

Update Core Packages

You must update your Next.js and React packages to the latest patched versions.

Recommended Method (Utility)

npx fix-react2shell-next

npm install next@latest react@latest react-dom@latest
# next@16.0.7 or later

Understand Edge Protection (Vercel Users)

If you are hosted on Vercel, platform‑level Web Application Firewall (WAF) rules have been deployed to act as a temporary shield against known exploit patterns.

Important: The WAF is a temporary fix. The vulnerability remains in your application code until you apply the code updates in Step 1. Do not skip the dependency update.

Post‑Patch Hygiene

If your app was running a vulnerable version, assume a breach may have occurred:

• Rotate Secrets: Immediately change all sensitive keys (e.g., DB_URL, API_KEYs) in your environment variables.
• Audit Logs: Review server logs for unusual POST requests or unexpected shell commands.

---

This alert is brought to you by the team at WebMixStudio, specializing in secure Next.js development.