Full Report
Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system (OS) commands under certain conditions. "The vulnerability allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine running react-native-community/cli's
Analysis Summary
# Vulnerability: Remote OS Command Execution in React Native CLI
## CVE Details
- CVE ID: CVE-2025-11953
- CVSS Score: 9.8 (Critical)
- CWE: Not Specified
## Affected Systems
- Products: `@react-native-community/cli`, `@react-native-community/cli-server-api`
- Versions: `@react-native-community/cli-server-api` package versions 4.8.0 through 20.0.0-alpha.2. (The context implies that the main CLI package using this affected dependency is also at risk).
- Configurations: When the Metro development server is running and bound to external interfaces (not just localhost).
## Vulnerability Description
A critical vulnerability exists in the Metro development server utilized by the React Native CLI. The server exposes an "/open-url" endpoint accessible via HTTP POST requests. This endpoint handles user-supplied input and passes it unsafely to the `open()` function provided by the vulnerable `open` NPM package. This leads to **Arbitrary OS Command Execution (OSCE)** on the machine hosting the development server. On Windows, this allows arbitrary shell command execution with fully controlled arguments; on Linux/macOS, it permits arbitrary binary execution with limited parameter control.
## Exploitation
- Status: Zero-day (Implied, as it has been publicly disclosed as recently patched)
- Complexity: Low (Requires sending a specially crafted POST request to an exposed endpoint)
- Attack Vector: Network (Remote, unauthenticated)
## Impact
- Confidentiality: High (Potential data theft via executed commands)
- Integrity: High (Ability to modify system files or install malware)
- Availability: High (Potential for system denial of service or disruption)
## Remediation
### Patches
- Upgrade `@react-native-community/cli` to version **20.0.0** or newer. (This version contains the fix for the underlying dependency issues.)
### Workarounds
- Ensure the Metro development server is configured to bind exclusively to **localhost (127.0.0.1)** instead of external interfaces, if upgrading is not immediately possible.
- Frameworks/setups that **do not** rely on the Metro development server are not impacted.
## Detection
- **Indicators of Compromise (IOCs):** Look for unusual outbound network connections or unexpected process execution originating from processes related to the React Native development environment (e.g., Node.js or Metro server processes).
- **Detection Methods and Tools:** Implement security scanning across the software supply chain for vulnerable dependencies (specifically targeting versions of `@react-native-community/cli-server-api` in the 4.8.0 to 20.0.0-alpha.2 range). Monitor network traffic targeting running Metro servers for suspicious POST requests to the `/open-url` path.
## References
- Vendor Advisory (JFrog Security Research): hxxps://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability
- Commit Fixing Vulnerability: hxxps://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
- Release Notes: hxxps://github.com/react-native-community/cli/releases/tag/v20.0.0
- NVD: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-11953