Full Report
When creating a React Native project looking, most developers use the package react-native-community/cli. This will create a project structure with proper dependencies and configuration files. To start the application, use npx react-native start. When using the development server, React Native forwards commands to the @react-native-community/cli from a URL parameter in runServer.js. The added middleware handler /open-url will open a URL via the open() function in NodeJS. The whole reason behind this isn't explained in the article. The open() command is very versatile - for good or for bad. On Windows, the command is passed as arguments to cmd and executed using childProcess.spawn(). This also works for URLs, thanks to the default URL scheme handler. By placing a bash command here, it's possible to achieve RCE on the development machine via a single URL parameter. On Unix-like Operating system, executing open() expects separate strings for different parameters on the CLI, unlike Windows. So, this doesn't have an easy path to RCE. It can perform remote file loading via smb:// and execute a local file via file://0.0.0.0 for some reason. What's hilarious about this is that there's a log message that says "Starting dev server on http://localhost:8081". Overall, a good post on the root cause of a pretty simple issue.
Analysis Summary
# Vulnerability: Critical RCE in React Native Community CLI
## CVE Details
- **CVE ID:** CVE-2025-11953
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-78 (OS Command Injection) / CWE-94 (Code Injection)
## Affected Systems
- **Products:** `@react-native-community/cli-server-api` (often bundled with `@react-native-community/cli`)
- **Versions:** 4.8.0 through 20.0.0-alpha.2
- **Configurations:** Systems running the Metro development server (e.g., via `npm start` or `npx react-native start`) where the server is accessible over the network. Projects created without a framework are particularly at risk.
## Vulnerability Description
The vulnerability exists in the `/open-url` middleware handler within the React Native CLI's development server. This handler passes a URL parameter directly to the Node.js `open()` function.
* **Windows:** The command is passed to `cmd.exe` and executed via `childProcess.spawn()`. Because of how Windows handles default URL schemes, an attacker can inject shell commands into the parameter, leading to full Remote Code Execution (RCE).
* **Unix-like (macOS/Linux):** The `open()` implementation expects separate strings for parameters, making RCE more difficult but still allowing for the execution of arbitrary local files via the `file://` scheme or remote file loading via `smb://`.
Furthermore, a secondary issue in the core codebase allows the dev server (which usually defaults to localhost) to be exposed to external network traffic, enabling remote unauthenticated attacks.
## Exploitation
- **Status:** PoC available (demonstrated by JFrog Research)
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** High (Full access to developer machine data)
- **Integrity:** High (Ability to modify source code or plant malware)
- **Availability:** High (Ability to execute destructive commands)
## Remediation
### Patches
- Update `@react-native-community/cli-server-api` to **version 20.0.0** or higher.
- Ensure the main `@react-native-community/cli` package is also updated to a version containing the fix.
### Workarounds
- Force the development server to bind only to the local interface by using the `--host` flag:
`npx react-native start --host 127.0.0.1`
- Use hardware/software firewalls to block port 8081 from external access.
## Detection
- **Indicators of Compromise:** Unusual child processes spawned by `node.exe` or `react-native`, particularly those involving `cmd.exe`, `/c`, or unexpected network connections via `smb://`.
- **Detection Methods:**
- Run `npm list @react-native-community/cli-server-api` to check for vulnerable versions.
- Monitor web server logs for suspicious requests to the `[host]:8081/open-url?url=...` endpoint.
- Utilize SAST/DAST tools to identify the data flow from `req.body` to the `open()` function.
## References
- Vendor Advisory: hxxps[://]github[.]com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
- JFrog Research: hxxps[://]jfrog[.]com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/
- NPM Package: hxxps[://]www[.]npmjs[.]com/package/@react-native-community/cli-server-api