A critical remote code execution (RCE) vulnerability tracked as CVE-2025-11953 in the @react-native-community/cli NPM package.
With nearly 2 million weekly downloads, this package powers the command-line interface for React Native, a JavaScript framework beloved by developers building cross-platform mobile apps.
The vulnerability, scored at CVSS 9.8 for its network accessibility, low complexity, and potential for high-impact damage, lets unauthenticated attackers execute arbitrary operating system commands on a developer’s machine via the package’s development server.
React Native’s CLI, extracted from the core codebase years ago for better maintainability, handles essential tasks like initializing projects and running the Metro bundler.
Commands such as “npm start” or “npx react-native run-android” launch this server, which bundles JavaScript for emulators or devices.
But JFrog researchers found that the server’s /open-url endpoint mishandles user input, passing it directly to the “open” NPM library’s unsafe open() function.
On Windows, this spawns shell commands with full parameter control, think launching calc.exe or writing files like a proof-of-concept “pwned.txt.” On macOS and Linux, execution is more limited but could escalate with further tweaks to URI schemes or file handlers.
What elevates this from a local nuisance to a nightmare is a secondary issue in React Native’s core: the Metro server binds to all network interfaces (0.0.0.0) by default, despite console messages claiming localhost-only access.
This stems from an undefined host parameter in the runServer function, exposing endpoints to remote attackers. Developers using vulnerable CLI versions (4.8.0 to 20.0.0-alpha.2) in the @react-native-community/cli-server-api package are at risk, especially those skipping frameworks like Expo, which use alternative servers.
Not everyone faces the same level of risk. Projects that use Metro for hot reloading during development, often seen in basic React Native setups for Windows, macOS, iOS, or Android, often take on more challenges.
Global installations or bundled dependencies amplify the threat. JFrog demonstrated Windows exploits easily, while Unix-like systems demand creative workarounds, such as exploiting URI handlers for remote file execution.
The fix arrived swiftly, thanks to Meta’s security team, in CLI version 20.0.0. Developers should update via npm in project folders or globally, then verify with “npm list @react-native-community/cli-server-api.”
For immediate protection, bind the server to localhost: “npx react-native start –host 127.0.0.1.” This vulnerability underscores the perils of third-party sinks like the “open” package and default network exposures in dev tools.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
