A newly patched, critical security vulnerability has come to light within the widely used @react-native-community/cli npm package, posing a significant risk of remote operating system (OS) command execution. This flaw, which affects the command-line tools that enable developers to build React Native mobile applications, could be exploited under specific conditions to run arbitrary OS commands. The issue also impacts the associated @react-native-community/cli-server-api package in versions 4.8.0 through 20.0.0-alpha.2. Given the package’s popularity, with approximately 1.5 million to 2 million weekly downloads, the potential attack surface was substantial.
The vulnerability, assigned the identifier CVE-2025-11953, has been given a critical severity rating of 9.8 out of 10.0 on the CVSS scale. According to security researchers, the flaw allows remote unauthenticated attackers to easily trigger arbitrary OS command execution on the machine hosting the development server. This is possible because the Metro development server, which React Native utilizes to build JavaScript code and assets, defaults to binding to external interfaces instead of the more secure localhost.
The root of the problem lies in the exposed /open-url endpoint of the Metro development server. This endpoint is susceptible to OS command injection because it processes a POST request that contains a user-supplied value. This user input is then passed unsafely to the open() function provided by the open NPM package, ultimately leading to the execution of OS commands. Consequently, an attacker on the network could send a specifically crafted POST request to the server and execute commands arbitrarily on the developer’s machine.
The practical risk of exploitation is high. On Windows systems, attackers could execute arbitrary shell commands with fully controlled arguments. While on Linux and macOS, the flaw can be abused to execute arbitrary binaries, albeit with more limited parameter control. The vulnerability is considered particularly dangerous due to its ease of exploitation, the lack of authentication required, and the broad attack surface presented to threat actors.
While the issue has since been resolved with the release of version 20.0.0 early last month, the incident highlights a critical point: the dangers hidden within third-party code in the software supply chain. Developers using React Native with a framework that does not rely on Metro as the development server are not affected. For all others, immediate updating is the only way to mitigate this zero-day risk, underscoring the vital need for comprehensive and automated security scanning to catch easily exploitable flaws before they impact organizations.
Reference:
