Full Report
A severe security vulnerability has been discovered in a widely used React Native development package, potentially exposing millions of developers to remote attacks. Security researchers from JFrog recently uncovered CVE-2025-11953, a critical remote code execution flaw affecting the @react-native-community/cli NPM package, which receives approximately two million weekly downloads. The vulnerability carries a maximum CVSS score […] The post Critical RCE Bug in Leading React Native NPM Module Could Allow Full System Compromise appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Remote Code Execution in React Native CLI Package
## CVE Details
- CVE ID: CVE-2025-11953
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly mentioned, but related to Unsafe Input Handling/OS Command Injection.
## Affected Systems
- Products: `@react-native-community/cli-server-api` (part of the React Native development environment, specifically the Metro development server when using the CLI).
- Versions: 4.8.0 to 20.0.0-alpha.2 (inclusive).
- Configurations: Projects using the affected package versions and running the Metro development server via standard `npm start` or `npx react-native start` commands. Developers using frameworks like Expo that utilize different development servers are typically not affected.
## Vulnerability Description
This is a critical Remote Code Execution (RCE) vulnerability stemming from the unsafe handling of user input within the Metro development server's `/open-url` endpoint. When the development server processes POST requests, unsanitized data received via this endpoint is passed directly to the `open()` function from the vulnerable `open` NPM package. This results in the execution of arbitrary operating system commands without requiring user interaction or prior authentication. Furthermore, a related issue causes the development server to bind to all network interfaces instead of only `localhost`, transforming a potentially local issue into a remotely exploitable vulnerability accessible over the network.
## Exploitation
- Status: PoC available (Researchers demonstrated successful arbitrary command execution on Windows by creating a file).
- Complexity: Low (The vulnerability allows exploitation by unauthenticated attackers).
- Attack Vector: Network (Due to the server binding to all interfaces).
## Impact
- Confidentiality: Potential High (Full system compromise allows access to sensitive files).
- Integrity: Potential High (Arbitrary OS command execution allows system modification).
- Availability: Potential High (System compromise can lead to denial of service or system destruction).
## Remediation
### Patches
- Patch released in version **20.0.0** of `@react-native-community/cli-server-api`.
### Workarounds
- Developers can verify if their project is affected by running `npm list @react-native-community/cli-server-api` in their project directory.
- Developers may mitigate the network exposure by manually configuring the development server to bind only to `localhost` if patching is not immediately possible, although the core issue lies in input sanitization.
- Developers using frameworks like Expo (if they do not directly utilize the vulnerable CLI versions) may be unaffected.
## Detection
- Indicators of Compromise: Unexpected system commands being executed, unauthorized file creation (e.g., `pwned.txt` if testing is observed), or network traffic directed at the Metro development server endpoints.
- Detection methods and tools: Use dependency scanning tools to check for the vulnerable version range installed locally or within build artifacts. Monitor network logs for POST requests to the `/open-url` endpoint if the development server is exposed.
## References
- Vendor advisories: Security researchers from JFrog uncovered the flaw.
- Relevant links:
- [Vulnerability Report on NVD: nvd.nist.gov/vuln/detail/CVE-2025-11953](https://nvd.nist.gov/vuln/detail/CVE-2025-11953)
- [Article Source: gbhackers.com/critical-rce-bug-in-leading-react-native-npm-module/](https://gbhackers.com/critical-rce-bug-in-leading-react-native-npm-module/) (Note: URL is defanged as requested)