Details have emerged about a critical security flaw that was patched in the popular @react-native-community/cli npm package. This flaw can be exploited under certain conditions to execute malicious operating system (OS) commands.
“This vulnerability allows an unauthenticated, remote attacker to easily cause execution of arbitrary OS commands on the machine running the react-native-community/cli development server, posing a significant risk to developers,” Or Peles, senior security researcher at JFrog, said in a report shared with The Hacker News.
This vulnerability is tracked as CVE-2025-11953 and has a CVSS score of 9.8 out of a maximum of 10.0, indicating critical severity. It also affects versions 4.8.0 through 20.0.0-alpha.2 of the “@react-native-community/cli-server-api” package, which was patched in version 20.0.0 released early last month.
Command-line tool packages maintained by Meta allow developers to build React Native mobile applications. It receives approximately 1.5 to 2 million downloads each week.
According to the software supply chain security firm, the vulnerability arises from the fact that the Metro development server that React Native uses to build JavaScript code and assets is bound by default to an external interface (rather than localhost) and exposes an “/open-url” endpoint that is susceptible to OS command injection.
“The server’s ‘/open-url’ endpoint handles POST requests containing user input values that are passed to the insecure open() function provided by the open NPM package, which executes OS commands,” Perez said.
As a result, an unauthenticated network attacker could exploit this flaw to execute arbitrary commands by sending specially crafted POST requests to the server. On Windows, an attacker can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS it can be exploited to execute arbitrary binaries with limited parameter control.
This issue has since been resolved, but developers using React Native with frameworks that do not rely on Metro as their development server are not affected.
“This zero-day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements, and wide attack surface,” Perez said. “It also exposes significant risks hidden in third-party code.”
“For developers and security teams, this highlights the need for automated and comprehensive security scanning across the software supply chain to ensure easily exploitable flaws are remediated before they impact the organization.”
Source link
