Critical React Native CLI Vulnerability Exposes Developers to Remote Code Execution
A significant security vulnerability has been identified in the widely-used @react-native-community/cli npm package, potentially allowing remote attackers to execute arbitrary operating system commands on developers’ machines. This flaw, designated as CVE-2025-11953, has been assigned a critical severity score of 9.8 out of 10.
The @react-native-community/cli package, maintained by Meta, is a command-line interface tool that facilitates the development of React Native mobile applications. With weekly downloads ranging between 1.5 to 2 million, it is a staple in the developer community.
The vulnerability stems from the Metro development server, which React Native employs to compile JavaScript code and assets. By default, Metro binds to external interfaces rather than restricting itself to localhost. This configuration exposes an /open-url endpoint susceptible to operating system command injection.
Specifically, the /open-url endpoint processes POST requests containing user-supplied input. This input is then passed to the open() function from the open npm package without adequate validation, leading to potential command execution.
An unauthenticated attacker on the network could exploit this flaw by sending a specially crafted POST request to the development server, resulting in arbitrary command execution. On Windows systems, attackers can execute shell commands with fully controlled arguments. On Linux and macOS, the vulnerability allows for the execution of arbitrary binaries, albeit with limited parameter control.
The affected versions of the @react-native-community/cli-server-api package range from 4.8.0 to 20.0.0-alpha.2. The issue has been addressed in version 20.0.0, released in early October 2025. Developers utilizing React Native frameworks that do not depend on Metro as the development server remain unaffected.
This zero-day vulnerability is particularly alarming due to its ease of exploitation, absence of authentication requirements, and extensive attack surface. It underscores the inherent risks associated with third-party code dependencies.
For development and security teams, this incident highlights the critical importance of implementing automated, comprehensive security scanning throughout the software supply chain. Proactively identifying and mitigating such vulnerabilities is essential to prevent potential exploitation and safeguard organizational assets.
