A critical flaw in the React Native Community CLI (CVE-2025-11953) has been identified, enabling OS command injection through the Metro development server. This vulnerability, discovered by JFrog researchers, affects millions of developers globally due to its high CVSS score of 9.8, suggesting a severe risk.
Vulnerability Details
The flaw targets versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli package. It allows attackers to run arbitrary executables by accepting unauthorized POST requests. On Windows, it can execute shell commands with complete argument control, while on Linux and macOS, it can run binaries with limited parameters.
Remediation and Recommendations
A patch is available in version 20.0.0 of the package. JFrog recommends users update immediately. In cases where updates are not feasible, network exposure of the Metro server should be restricted to prevent exploitation.
Risks and Acknowledgments
The vulnerability does not require authentication, increasing its danger due to a broad attack surface. JFrog emphasizes the importance of automated security scanning within the software supply chain. As of now, there have been no verified public exploits witnessed in the wild.
