Batch Patching Next.js Across All Your GitHub Repos
Made a script to patch the React2Shell vulnerabilities across all my Next.js projects at once.
Batch Patching Next.js Across All Your GitHub Repos
If you've been following the Next.js security situation - there's been a string of critical vulnerabilities affecting React Server Components. Started with React2Shell (RCE), then came source code exposure and DoS issues. Four CVEs in about a week.
I had a bunch of Next.js projects scattered across my GitHub account and an org. Going through each one manually wasn't happening.
The Problem
Vercel released fix-react2shell-next which is great for fixing a single project. But I needed to:
- Find all my Next.js repos across multiple GitHub accounts
- Clone them
- Run the fix tool on each
- Commit the changes
- Push when ready
The Solution
Wrote a bash script that:
- Discovers all your GitHub accounts (personal + orgs) via
ghCLI - Lets you pick which ones to scan
- Finds every repo with Next.js in package.json
- Runs the official Vercel fix tool on each (handles monorepos, React RSC packages, lockfiles)
- Commits locally so you can review before pushing
curl -O https://raw.githubusercontent.com/williavs/nextjs-security-update/main/nextjs-security-update.sh
chmod +x nextjs-security-update.sh
./nextjs-security-update.sh
It uses Vercel's tool under the hood so the actual patching is reliable. My script just handles the "do it across all my repos" part.
What Got Patched
The vulnerabilities affect App Router apps using React Server Components:
- CVE-2025-66478 - Remote code execution (the big one)
- CVE-2025-55183 - Source code exposure
- CVE-2025-55184 - Denial of service
- CVE-2025-67779 - Complete DoS fix (the initial fix was incomplete)
Pages Router apps aren't affected. Most of my older projects use Pages Router so they were fine.
Links:
- nextjs-security-update - my batch update script
- fix-react2shell-next - official Vercel tool
- Next.js Security Update - official advisory