CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

React Native CLI Remote Code Execution Vulnerability (CVE-2025-11953)

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical security flaw in the React Native CLI package, tracked as CVE-2025-11953, allowed remote, unauthenticated attackers to execute arbitrary OS commands on development servers. The vulnerability affected versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package, impacting millions of developers using the React Native framework. The flaw was patched in version 20.0.0. The vulnerability was due to the Metro development server binding to external interfaces by default and exposing an '/open-url' endpoint susceptible to OS command injection. Attackers could exploit this to run arbitrary commands on the affected systems. The flaw underscores the risks associated with third-party code and emphasizes the need for comprehensive security scanning in the software supply chain.

Timeline

  1. 04.11.2025 16:24 1 articles · 6d ago

    Critical React Native CLI Vulnerability Patched in Version 20.0.0

    A critical security flaw in the React Native CLI package, tracked as CVE-2025-11953, was discovered and patched in version 20.0.0. The vulnerability allowed remote, unauthenticated attackers to execute arbitrary OS commands on development servers. The flaw was due to the Metro development server binding to external interfaces and exposing an '/open-url' endpoint susceptible to OS command injection. The affected packages are @react-native-community/cli and @react-native-community/cli-server-api, versions 4.8.0 through 20.0.0-alpha.2.

    Show sources
    Open in new tab

Information Snippets