- A critical security flaw in the @react-native-community/cli npm package has been identified and fixed.
- The flaw allowed remote attackers to execute operating system commands without authentication.
- This vulnerability, CVE-2025-11953, has a severity score of 9.8 out of 10.
- Affected versions ranged from 4.8.0 to 20.0.0-alpha.2, patched in version 20.0.0.
- The issue involved the Metro development server exposing an endpoint vulnerable to command injection.
A critical security weakness was discovered and patched in the popular @react-native-community/cli package, which supports developers building React Native mobile apps. The vulnerability could let unauthenticated attackers execute harmful operating system commands on machines running the development server. The details were reported on November 4, 2025.
According to JFrog Senior Security Researcher Or Peles, the flaw is tracked as CVE-2025-11953 and carries a critical CVSS score of 9.8 out of 10. It affected the command-line interface versions 4.8.0 through 20.0.0-alpha.2 and was fixed in release 20.0.0.
The exposed vulnerability stemmed from the Metro development server binding to external network interfaces by default rather than just localhost. This server exposes an “/open-url” endpoint that accepts POST requests. The user input sent to this endpoint is passed unsafely to a function from the open NPM package, allowing attackers to run arbitrary OS commands.
Peles explained, “The server’s ‘/open-url’ endpoint handles a POST request that includes a user-input value that is passed to the unsafe open() function provided by the open NPM package, which will cause OS command execution.” On Windows systems, this permits executing shell commands with full argument control. On Linux and macOS, attackers can run arbitrary binaries with some parameter restrictions.
The package is maintained by Meta and downloads range between 1.5 million and 2 million weekly. Developers using React Native with frameworks that do not rely on the Metro server are not affected. As Peles noted, “This zero day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface.” The issue highlights risks in third-party components and underscores the importance of automated security testing in software supply chains.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Wall Street Raises AMD Price Target Ahead of Strong Q3 Report
- US Sanctions 50+ North Korean Crypto Addresses for Cybercrime
- Theta Labs Secures Patent for Advanced Tree-of-Thought AI System
- Bitcoin White Paper Hits 17 Years, Network Remains Resilient
- Ethereum Funds Dwindle as Bitcoin Attracts Institutional Capital
