A serious security flaw in a widely used React Native development tool has put countless app developers in danger of remote attacks.
Quick Summary – TLDR:
- A critical vulnerability in the @react-native-community/cli-server-api exposes systems to remote code execution.
- The flaw is tracked as CVE-2025-11953 and carries a maximum CVSS score of 9.8.
- The vulnerability affects versions 4.8.0 through 20.0.0-alpha.2 and has been patched in version 20.0.0.
- Developers are urged to update immediately or use a localhost-only workaround to stay safe.
What Happened?
Security researchers from JFrog discovered a severe remote code execution (RCE) vulnerability affecting the popular @react-native-community/cli-server-api NPM package. This flaw could allow unauthenticated attackers to execute arbitrary system commands on machines running the React Native development server.
Millions of developers using React Native’s Metro server are potentially impacted. Meta, the package maintainer, has since released a fix, but the vulnerability underscores growing concerns around the software supply chain and third-party dependencies.
⚠️ Heads up, React Native devs: We’ve just disclosed CVE-2025-11953, a critical CVSS 9.8 RCE vulnerability in the React Native CLI.
— JFrog (@jfrog) November 4, 2025
🚩The risk: An unauthenticated network attacker can get #RCE on your machine via the running dev server.
Full technical breakdown & mitigation… pic.twitter.com/MJyt9l67J2
Vulnerability Overview
The vulnerability, officially labeled CVE-2025-11953, affects the React Native Community CLI, a set of command-line tools used to build and manage React Native applications. The tool is downloaded roughly two million times each week, making it a high-value target for attackers.
Key Details:
- CVSS Score: 9.8 (Critical)
- Impacted Versions: 4.8.0 to 20.0.0-alpha.2
- Patched Version: 20.0.0
- Discovery By: JFrog security researchers, including Or Peles
- Maintained By: Meta, with community and corporate contributors like Microsoft
How the Exploit Works?
At the core of the issue is the unsafe use of the open() function from the open NPM package within the Metro development server’s /open-url endpoint. When developers use common startup commands like npm start or npx react-native start, the server processes incoming POST requests.
However, instead of sanitizing this input, the server passes it directly to the open() function, which can trigger system-level command execution.
Platform-Specific Impact:
- Windows: Full control over command parameters allows complete command injection.
- Linux/macOS: While execution is more restricted, researchers demonstrated that arbitrary code execution is still possible.
Compounding the threat is a second flaw: the development server binds to all network interfaces by default, even though it claims to operate locally. This allows remote attackers to reach and exploit the server across a network, expanding what would have been a local vulnerability into a network-exploitable issue.
Who Is Affected?
Any developer running a vulnerable version of @react-native-community/cli-server-api and using the default Metro server setup is at risk. The problem affects systems where the package is installed either locally or globally.
Users of frameworks like Expo, which use their own development servers, are generally not affected.
What Should Developers Do?
Immediate Actions:
- Update the Package: Upgrade to version 20.0.0 or later as soon as possible.
- Verify Installation: Run
npm list @react-native-community/cli-server-apiin your project directory ornpm list -g @react-native-community/cli-server-apito check global installations. - Apply Workaround: If updating is not immediately possible, bind the server to localhost using
npx react-native start --host 127.0.0.1.
Industry Reaction
In their disclosure, JFrog emphasized how this flaw reveals deeper risks hidden within open source tools. Or Peles, senior researcher at JFrog, noted:
Meta responded swiftly by issuing a patch, showing the benefits of active maintenance and community involvement in major open source projects. Still, the incident raises red flags about how easily a third-party tool can expose systems to full compromise.
SQ Magazine Takeaway
I’ve seen vulnerabilities before, but this one strikes especially close to home. If you are a React Native developer, you should not brush this off. The fact that attackers don’t need any login and can simply fire off a POST request to hijack your dev server is a nightmare scenario. It shows how something as routine as a dev server could be a backdoor into your system. Always keep your tools updated, and if you’re relying on third-party packages, make sure your CI/CD includes real security scanning. This kind of flaw is exactly why proactive defense matters.
