EXECUTIVE SUMMARY:
A critical vulnerability identified as CVE-2025-11953 was discovered in the react-native-community/cli and react-native-community/cli-server- api npm packages, allowing remote unauthenticated attackers to execute arbitrary operating system commands on systems running the development server. The flaw, rated with a CVSS score of 9.8, originated from the Metro development server binding to external interfaces and exposing an "/open- url " endpoint vulnerable to command injection via unsafe handling of user input in the open() function. Exploitation could enable attackers to run arbitrary commands on Windows, Linux, and macOS environments, posing a severe risk to developers using the affected tool. Although the issue has been patched in latest version, the vulnerability highlights the dangers of insecure configurations and the importance of thorough software supply chain security practices.
RECOMMENDATION:
We strongly recommend you update react-native-community/cli to version 20.0.0 or later.
REFERENCES:
The following reports contain further technical details:
https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.html