A critical security vulnerability, tracked as CVE-2025-11953, has been discovered and patched in the widely used @react-native-community/cli npm package. This flaw could have allowed remote, unauthenticated attackers to execute arbitrary operating system commands on a developer’s machine, posing a severe risk to the software development ecosystem.
Vulnerability Overview and Severity
The vulnerability received the highest severity rating with a CVSS score of 9.8 out of 10. It affected versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli package and the related @react-native-community/cli-server-api package. The maintainers, Meta, released a patched version (20.0.0) in early last month.
This command-line tool is essential for building React Native mobile applications and receives between 1.5 million to 2 million weekly downloads, highlighting the potential scale of the impact.
The Root Cause: An Unsafe Endpoint
The flaw resided within the Metro development server, which is used by React Native. The vulnerability was two-fold:
- External Binding: By default, the Metro development server binds to external network interfaces, making it accessible over the network instead of being restricted to the local machine (
localhost). - Unsafe Command Injection: The server exposed an
/open-urlendpoint that accepted user input. This input was passed directly to the unsafeopen()function from theopenNPM package without proper sanitization.
As explained by JFrog Senior Security Researcher Or Peles, “The server’s ‘/open-url’ endpoint handles a POST request that includes a user-input value that is passed to the unsafe open() function… which will cause OS command execution.”
Exploitation and Attack Scenarios
This combination created a dangerous attack vector. An unauthenticated attacker on the same network could send a specially crafted POST request to the /open-url endpoint on a developer’s machine. This would trigger the flaw and allow the attacker to run any command they wanted on the developer’s system.
- On Windows: Attackers could execute arbitrary shell commands with fully controlled arguments.
- On Linux and macOS: Attackers could execute arbitrary binaries, though with limited control over the parameters.
Mitigation and Broader Implications
Developers who have updated to version 20.0.0 or later of the affected packages are protected. Those using React Native with a framework that does not rely on Metro as the development server were not impacted.
This incident serves as a stark reminder of the hidden risks in software supply chains. Or Peles emphasized, “This zero day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface. It also exposes the critical risks hidden in third-party code.”
