Victor Jayeoba

Posted on Dec 10

React2Shell Hacked My Servers. Here’s Your 3-Step Fix.

#react #webdev #frontend #security

Three days ago, I woke up to my servers on fire. CPU at 100%, apps dead. The cause? React2Shell.

If you use Next.js App Router, stop and read this. A critical bug lets hackers take over your server with one packet. No password needed.

This is my story from the trenches, and your quick-fix guide.

It’s a bug in React Server Components. Attackers send a fake data packet, and your server runs it as code. Game over.

That’s how they got me. They got a shell and most likely installed crypto miners that killed my CPUs.

I'll be honest. I messed up at first. I thought I could just clean the infected server and redeploy.

After learning the hard way, here is the only method that actually worked.

If you were hacked, your server is compromised. Patching alone is useless.

I destroyed the VPS. Don't try to clean it.
I rotated every secret. API keys, DB passwords, everything. They stole your .env file.

This is the only real fix. The Next.js team already patched it. Run this in your project:

npx fix-react2shell-next

This tool automatically finds the vulnerability and updates your package.json to a safe version, like Next.js 15.5.7 or newer.

After it runs, install the new packages:

npm install

With clean code and new secrets, I spun up a fresh server and redeployed.

Pro Tip: While you're at it, stop running your app as root. Create a dedicated user (web-user) and tighten your firewall.

React2Shell is a brutal reminder: just because your app works, doesn't mean it's secure.

If you use the Next.js App Router, take 10 minutes. Your to-do list:

It’s way less painful than waking up to a dead server.

Got extra hardening tips? Drop them in the comments and help someone else out.

Top comments (2)

Thank you for this boss🙏🏾❤️

Thank you very much🙏🏾❤️, glad you found it helpful