- CVE-2025-11953 allows OS command injection via Metro server in React Native CLI
- Affects version 4.8.0-20.0.0-alpha.2; patched in 20.0.0; exploitation requires no approval
- No confirmed exploit yet; limit server exposure or update immediately
A very popular npm package had a critical severity vulnerability that allowed threat actors in certain scenarios to run malicious commands, experts have warned.
Cybersecurity researchers from JFrog say the package in question is called “@react-native-community/cli,” made to help developers build React Native mobile applications and get up to two million downloads per week.
On NVD it is explained that the Metro Development Server, opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection, which allows threat actors to send a POST request and run arbitrary executable files – meaning that on Windows the attackers can also execute arbitrary shell commands with fully controlled arguments, and on Linux and macOS, on the other hand, it can execute arbitrary parameter controls with limited parameter control.
Behaving like hacktivists
The bug is tracked as CVE-2025-11953 and has a severity rating of 9.8/10 (Critical). It affects package versions 4.8.0 through 20.0.0-alpha.2 and has been fixed in version 20.0.0, released early last month. Those who cannot immediately update their endpoints should limit network exposure of the Metro server.
If you’re using React Native with a framework that doesn’t rely on Metro as a development server, you’re not affected, it said. “This zero-day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements, and broad attack surface,” JFrog’s researchers explained. “It also reveals the critical risks hidden in third-party code.”
“For developer and security teams, this underscores the need for automated, comprehensive security scanning across the software supply chain to ensure that easily exploitable flaws are patched before they impact your organization.”
At press time, there were no confirmed public reports that CVE-2025-11953 had been exploited in the wild. Multiple sources indicate that while the vulnerability is highly exploitable, actual exploit activity has yet to be confirmed.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
