By rssfeeds-admin 
The flaw, tracked as CVE-2025-11953, impacts the widely-used @react-native-community/cli-server-api NPM package, which maintains approximately two million weekly downloads.
The vulnerability carries a maximum CVSS 3.1 score of 9.8, indicating its severity and ease of exploitation by unauthenticated attackers with minimal technical barriers.
The vulnerability exists in versions 4.8.0 through 20.0.0-alpha.2 of the affected package and enables remote attackers to execute arbitrary operating system commands on machines running React Native’s development server without requiring authentication or user interaction.
This represents a significant threat to developers working on mobile applications, as exploitation could lead to complete system compromise and unauthorized access to source code and credentials.
Understanding the Technical Flaw
The security flaw originates from unsafe handling of user input in the Metro development server’s /open-url endpoint.
When developers run common commands such as npm start or npx react-native start To launch their development environment, the server processes POST requests containing unsanitized data that gets passed directly to the dangerous open() function from the open NPM package.
This function executes system-level commands without proper validation, creating a clear pathway for attackers to inject malicious commands.
Researchers demonstrated complete arbitrary command execution with full parameter control on Windows systems.
The vulnerability allows attackers to execute shell commands by crafting malicious requests that bypass basic sanitization attempts.
While macOS and Linux systems show slightly more restricted exploitation paths due to different code execution mechanisms, researchers believe arbitrary command execution remains achievable with additional research on these platforms.
Compounding the problem, JFrog discovered a secondary vulnerability in React Native’s core codebase where the development server binds to all network interfaces rather than localhost only, despite displaying messages indicating localhost-only operation.
This misconfiguration transforms what might have been a local-only security issue into a remotely exploitable critical vulnerability, as the development endpoints become accessible to network attackers.
Vulnerability Details
| CVE ID | Affected Product | Affected Versions | CVSS Score | Vulnerability Type |
|---|---|---|---|---|
| CVE-2025-11953 | @react-native-community/cli-server-api | 4.8.0 to 20.0.0-alpha.2 | 9.8 (Critical) | Remote Code Execution (RCE) |
Developers who initiated React Native projects using vulnerable versions of @react-native-community/cli and run the Metro development server through standard commands are at immediate risk.
To verify if your project contains the vulnerable package, navigate to your project folder and run npm list @react-native-community/cli-server-api.
The package may also be globally installed on your system, which can be checked using npm list -g @react-native-community/cli-server-api.
Meta’s security team has responded promptly by releasing a patch in version 20.0.0 of the affected package. Developers should immediately update @react-native-community/cli-server-api to version 20.0.0 or higher in all their React Native projects.
For situations where upgrading proves difficult, developers can mitigate risk by explicitly binding the development server to the localhost interface using the –host 127.0.0.1 flag when starting the server, such as npx react-native start –host 127.0.0.1.
Developers using frameworks like Expo that employ different development servers are typically not affected by this vulnerability.
This discovery highlights how critical remote code execution flaws continue appearing in production software, particularly when dangerous functions reside in third-party dependencies.
The vulnerability serves as a stark reminder that secure coding practices and automated security scanning remain essential for preventing easily exploitable flaws before they reach production environments.
Development teams should prioritize immediate patching and implement network-level controls to restrict access to development servers during the transition period.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post Severe RCE Flaw in Widely Used React Native NPM Library Puts Developers at Risk appeared first on Cyber Security News.