Security researchers at JFrog, a company specialising in software supply chain protection, recently found a severe security problem in a key part of the React Native mobile app development framework.
For your information, React Native lets developers write most of the code once using JavaScript to create native mobile apps for both iOS and Android, as well as platforms like Windows and macOS.
The issue, tracked as CVE-2025-11953, affects the widely used @react-native-community/cli package, which is downloaded about 2 million times each week. The vulnerable package is a command-line tool (CLI) essential for setting up and running these applications.
Remote Code Execution Threatens Developer Workstations
The vulnerability is rated as critical with a CVSS score of 9.8. It allows a remote attacker to perform Remote Code Execution (RCE), which means they can easily run their own commands on the developer’s machine. This is possible because of a combination of two security weaknesses.
As per JFrog’s research blog, published shared with Hackread.com, the main technical problem is in the @react-native-community/cli-server-api package, specifically in versions 4.8.0 to 20.0.0-alpha.2. This danger is then amplified by a second, separate issue: the Metro development server, which should only be available on the developer’s computer, is incorrectly set up to listen for connections from anywhere on the internet by default.
This default exposure means the primary flaw can be exploited by an outsider, making the entire situation extremely serious. Furthermore, JFrog researchers proved that on Windows, this can lead to arbitrary OS command execution, where an attacker can run nearly any command.
Or Peles, blog author and JFrog’s Senior Security Researcher, told Hackread.com that, “This zero-day vulnerability is particularly dangerous due to its ease of exploitation and enormous attack surface. It also exposes the critical risks hidden in third-party code.”
Immediate Fixes Available
Developers who start their React Native projects using a vulnerable version of the CLI and run the development server with commands like npm start or npx react-native start are at risk. The good news is that Meta’s security team was quick to respond. The issue is fixed in version 20.0.0 and higher of the affected server API package.
Researchers urge developers to immediately update @react-native-community/cli-server-api to version 20.0.0 or greater. If updating is not possible right away, a temporary workaround is to explicitly bind the development server to the local machine only by adding the flag –host 127.0.0.1 to their start commands (e.g., npx react-native start –host 127.0.0.1).
Ultimately, this discovery shows that even simple security flaws can still exist in software, especially when using code developed by third parties. Reflecting on the findings, JFrog researchers stated “that secure coding practices and automated security scanning are essential for preventing these easily exploitable flaws before they make it to production.”