React Vulnerability Endangers Millions of Downloads

Security researchers at JFrog have disclosed a severe vulnerability in React Native that could expose millions of developers to remote code execution (RCE) attacks. 

The flaw carries a CVSS score of 9.8 and affects the popular @react-native-community/cli package, which receives more than two million weekly downloads.

Inside the React Vulnerability

The vulnerability (CVE-2025-11953) enables unauthenticated attackers to execute arbitrary operating system commands on machines running the React Native development server, known as Metro. 

Because the server can be accessible even when hosted locally, exploitation can compromise developer environments globally.

The issue originated in unsafe handling of user-supplied input within the CLI’s /open-url endpoint. 

This endpoint passes unfiltered data directly to the open() function from the open npm package, allowing attackers to execute shell commands on affected systems. 

While the vulnerability is most easily exploited on Windows, it could theoretically impact macOS and Linux systems as well.

The flaw affects versions 4.8.0 through 20.0.0-alpha.2 and Meta has released a patch for the vulnerability.

Developers can check their project dependencies by running npm list @react-native-community/cli-server-api or the global version using npm list -g @react-native-community/cli-server-api.

How the Exploit Works 

JFrog’s technical analysis revealed that an attacker could send a specially crafted POST request to the vulnerable development server’s /open-url endpoint. 

Because the server passes user input directly to the system shell without sanitization, this could lead to arbitrary command execution.

For example, on Windows, an attacker could execute a harmless test command such as launching the Calculator (calc.exe) or a more dangerous command to manipulate system files. 

In controlled demonstrations, JFrog researchers successfully executed commands that created new files on the host system, proving full RCE capability.

The risk is heightened by a secondary configuration flaw in React Native’s core codebase.

The development server binds to all network interfaces (0.0.0.0) rather than just localhost. 

As JFrog researchers stated “If host is omitted, the server will accept connections on the unspecified IPv6 address (::) when IPv6 is available, or the unspecified IPv4 address (0.0.0.0) otherwise. In most operating systems, listening to the unspecified IPv6 address (::) may cause the net.Server to also listen on the unspecified IPv4 address (0.0.0.0).”

This default configuration unintentionally exposes local development servers to external network access, increasing the attack surface.

How to Stay Protected 

Developers are strongly advised to update the @react-native-community/cli-server-api package to version 20.0.0 or later, which includes the official patch. This update effectively closes the RCE vulnerability.

For teams unable to immediately upgrade, JFrog recommends a temporary mitigation — explicitly bind the development server to localhost by starting it with the command npx react-native start –host 127.0.0.1. 

This restricts external access to the Metro development server, reducing exposure to network-based attacks.

Additionally, implement secure coding practices, conduct regular dependency audits, and use automated security scanning tools to identify vulnerable third-party libraries early in the development cycle.

Supply Chain Attacks on the Rise

The disclosure of CVE-2025-11953 highlights a persistent challenge in modern software development: the security risks inherent in third-party dependencies. 

Even trusted open-source frameworks like React Native can be undermined by flaws in externally maintained components.

This incident also reflects the growing sophistication of software supply chain attacks, in which adversaries increasingly target developer tools and environments rather than production systems.