Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks - The Hacker News

Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks Ravie LakshmananNov 04, 2025Vulnerability / Supply Chain Security Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system (OS) commands under certain conditions. "The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli's development server, posing a significant risk to developers," JFrog Senior Security Researcher Or Peles said in a report shared with The Hacker News. The vulnerability, tracked as CVE-2025-11953, carries a CVSS score of 9.8 out of a maximum of 10.0, indicating critical severity. It also affects the "@react-native-community/cli-server-api" package versions 4.8.0 through 20.0.0-alpha.2, and has been patched in version 20.0.0 released early last month. The command-line tools package, which is maintained by Meta, enables developers to build React Native mobile applications. It receives approximately 1.5 million to 2 million downloads per week. According to the software supply chain security firm, the vulnerability arises from the fact that the Metro development server used by React Native to build JavaScript code and assets binds to external interfaces by default (instead of localhost) and exposes an "/open-url" endpoint that is susceptible to OS command injection. "The server's '/open-url' endpoint handles a POST request that includes a user-input value that is passed to the unsafe open() function provided by the open NPM package, which will cause OS command execution," Peles said. As a result, an unauthenticated network attacker could weaponize the flaw to send a specially crafted POST request to the server and run arbitrary commands. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be abused to execute arbitrary binaries with limited parameter control. While the issue has since been addressed, developers who use React Native with a framework that doesn't rely on Metro as the development server are not impacted.  "This zero day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface," Peles said. "It also exposes the critical risks hidden in third-party code." "For developer and security teams, this underscores the need for automated, comprehensive security scanning across the software supply chain to ensure easily exploitable flaws are remediated before they impact your organization." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Command Injection, cybersecurity, JFrog, Meta, Open Source, React Native, Software Vulnerability, Supply Chain Security Trending News 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Popular Resources Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps