The @react-native-community/cli NPM package, essential for React Native development, has a severe vulnerability allowing attackers to execute arbitrary commands on a developer’s machine via its development server. Titled CVE-2025-11953, with a CVSS score of 9.8, this vulnerability arises due to mishandling user input in its /open-url endpoint, enabling network-accessible attacks. Commands like ‘npm start’ launch this server, which is critical for project initialization and running the Metro bundler.
Unfortunately, the Metro server binds to all network interfaces by default, creating exposure to remote exploitation due to an undefined host parameter in the runServer function. Developers using vulnerable versions (4.8.0 to 20.0.0-alpha.2) are particularly at risk, especially those not using frameworks like Expo. While Windows systems face more straightforward exploits, Unix-like systems might require creative workarounds to execute remote files. Immediate updates to CLI version 20.0.0 are necessary for protection, along with best practices like binding the server to localhost. This incident highlights the dangers of third-party libraries and default exposure in development tools.
👉 Pročitaj original: Cyber Security News
