LONDON (IT BOLTWISE) – A serious security flaw in the popular npm package @react-native-community/cli has put millions of developers at significant risk. The vulnerability, which has since been fixed, allowed attackers to execute malicious operating system commands under certain conditions.
Today’s daily deals at Amazon! ˗ˋˏ$ˎˊ˗
A critical security flaw in the widely used npm package @react-native-community/cli has put millions of developers worldwide at significant risk. This vulnerability, which has since been fixed, allowed attackers to execute malicious operating system commands under certain conditions. The vulnerability, tracked as CVE-2025-11953, received a CVSS score of 9.8 out of 10, indicating critical severity.
The vulnerability affected package versions 4.8.0 through 20.0.0-alpha.2 and was fixed in version 20.0.0, released early last month. The package, maintained by Meta, allows developers to build mobile applications using React Native and is downloaded approximately 1.5 to 2 million times weekly. The vulnerability resulted from the fact that the Metro development server used by React Native is bound to external interfaces by default, exposing an “/open-url” endpoint that is vulnerable to OS command injection.
The server’s “/open-url” endpoint processes a POST request containing a user input value that is passed to the unsafe open() function of the open-NPM package, resulting in the execution of OS commands. An unauthenticated network attacker could exploit the vulnerability to send a specially crafted POST request to the server and execute arbitrary commands. On Windows systems, attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS they can execute arbitrary binaries with limited parameter control.
Although the issue has since been resolved, developers using React Native with a framework that does not rely on Metro as a development server are not affected. This zero-day vulnerability is particularly dangerous due to its easy exploitability, lack of authentication requirements, and broad attack surface. It also highlights the critical risks hidden in third-party code. For developer and security teams, this highlights the need for automated, comprehensive security checks across the entire software supply chain to address easily exploitable vulnerabilities before they impact your business.
Order an Amazon credit card without an annual fee with a credit limit of 2,000 euros!
Bestseller No. 1 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 2 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 3 ᵃ⤻ᶻ “KI Gadgets”
Bestseller No. 4 ᵃ⤻ᶻ «KI Gadgets»
Bestseller No. 5 ᵃ⤻ᶻ “KI Gadgets”
Please send any additions and information to the editorial team by email to de-info[at]it-boltwise.de. Since we cannot rule out AI hallucinations, which rarely occur with AI-generated news and content, we ask you to contact us via email and inform us in the event of false statements or misinformation. Please don’t forget to include the article headline in the email: “Critical vulnerability in React Native CLI puts millions of developers at risk”.