There are people building OSS tools to exploit the new Next.js vulnerabilities. This is a tool to fight back - makes it dumb easy to upgrade all your Next.js apps across all your GitHub accounts.
Uses the official Vercel fix tool under the hood.
Dec 11, 2025: Next.js disclosed multiple critical vulnerabilities affecting React Server Components with App Router:
- CVE-2025-66478 (RCE)
- CVE-2025-55183 (Source Code Exposure)
- CVE-2025-55184 (DoS)
- CVE-2025-67779 (Complete DoS Fix)
https://nextjs.org/blog/cve-2025-55183-and-cve-2025-55184
- Discovers all your GitHub accounts (personal + orgs)
- Lets you pick which ones to scan
- Finds every Next.js repo
- Runs the official Vercel fix tool on each (handles monorepos, React RSC packages, lockfiles)
- Commits locally (you push when ready)
curl -O https://raw.githubusercontent.com/williavs/nextjs-security-update/main/nextjs-security-update.sh
chmod +x nextjs-security-update.sh
./nextjs-security-update.shOr specify accounts directly:
./nextjs-security-update.sh myusername myorgDRY_RUN=true ./nextjs-security-update.sh # See what would change
AUTO_PUSH=true ./nextjs-security-update.sh # Push automaticallygh(GitHub CLI) - authenticatednode/npxgit
Push all changes:
cd ~/nextjs-security-updates
for d in */; do (cd "$d" && git push && echo "Pushed $d"); doneThen redeploy your apps.