The latest articles on DEV Community by Victor Jayeoba (@vickyjay_media). https://dev.to/vickyjay_media https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F990404%2F373b3414-affc-489e-9d4b-04d82c3b4ac7.jpg https://dev.to/vickyjay_media en Victor Jayeoba Wed, 10 Dec 2025 17:22:39 +0000 https://dev.to/vickyjay_media/react2shell-hacked-my-servers-heres-your-3-step-fix-3i2j https://dev.to/vickyjay_media/react2shell-hacked-my-servers-heres-your-3-step-fix-3i2j <p>Three days ago, I woke up to my servers on fire. CPU at 100%, apps dead. The cause? <strong>React2Shell</strong>.</p> <p>If you use <strong>Next.js App Router</strong>, stop and read this. A critical bug lets hackers take over your server with one packet. No password needed.</p> <p>This is my story from the trenches, and your quick-fix guide.</p> <h3> What is React2Shell? </h3> <p>It’s a bug in <strong>React Server Components</strong>. Attackers send a fake data packet, and your server runs it as code. Game over.</p> <p>That’s how they got me. They got a shell and most likely installed crypto miners that killed my CPUs.</p> <h3> The Fix: How I Finally Took My Servers Back </h3> <p>I'll be honest. I messed up at first. I thought I could just clean the infected server and redeploy.</p> <p>After learning the hard way, here is the only method that actually worked.</p> <h4> <strong>Step 1: Nuke the Old Server (Don't Skip This!)</strong> </h4> <p>If you were hacked, your server is compromised. Patching alone is useless.</p> <ul> <li> <strong>I destroyed the VPS.</strong> Don't try to clean it.</li> <li> <strong>I rotated every secret.</strong> API keys, DB passwords, everything. They stole your <code>.env</code> file.</li> </ul> <h4> <strong>Step 2: Patch Your Code</strong> </h4> <p>This is the only real fix. The Next.js team already patched it. Run this in your project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npx fix-react2shell-next </code></pre> </div> <p>This tool automatically finds the vulnerability and updates your <code>package.json</code> to a safe version, like <strong>Next.js <code>15.5.7</code></strong> or newer.</p> <p>After it runs, install the new packages:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install </code></pre> </div> <h4> <strong>Step 3: Redeploy Safely</strong> </h4> <p>With clean code and new secrets, I spun up a fresh server and redeployed.</p> <p><strong>Pro Tip:</strong> While you're at it, stop running your app as <code>root</code>. Create a dedicated user (<code>web-user</code>) and tighten your firewall.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuoaiotmjgsjci7bt67n6.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuoaiotmjgsjci7bt67n6.jpg" alt=" " width="769" height="258"></a></p> <h3> The Lesson: Don't Be Me </h3> <blockquote> <p>React2Shell is a brutal reminder: just because your app works, doesn't mean it's secure.</p> </blockquote> <p>If you use the Next.js App Router, take 10 minutes. Your to-do list:</p> <ol> <li> <strong>Nuke the Old Server</strong> .</li> <li> <strong>Patch Your Code</strong> Run (<code>npx fix-react2shell-next</code>).</li> <li> <strong>Redeploy Safely</strong> and rebuild with new env if you think you were exposed</li> </ol> <p>It’s way less painful than waking up to a dead server.</p> <p>Got extra hardening tips? Drop them in the comments and help someone else out.</p> react webdev frontend security