- CVE-2025-11953 allows OS command injection via Metro Server in React Native CLI
- Affects versions 4.8.0 to 20.0.0-alpha.2; fixed in 20.0.0; the exploit requires no authentication
- No operations confirmed yet; restrict server exposure or update immediately
A popular npm package contained a critical severity vulnerability that allowed threat actors in certain scenarios to execute malicious commands, experts warned.
Cybersecurity researchers at JFrog say the package in question is called “@react-native-community/cli,” designed to help developers create React Native mobile apps and driving up to two million downloads per week.
On NVD, it is explained that the Metro Development Server, opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint vulnerable to operating system command injection, allowing malicious actors to send a POST request and execute arbitrary executables – meaning that on Windows, attackers can also execute arbitrary shell commands with fully controlled arguments, and on Linux and macOS, on the other hand, it can execute arbitrary binaries with limited parameter control.
Act like hacktivists
The bug is tracked as CVE-2025-11953 and has a severity score of 9.8/10 (critical). It affects package versions 4.8.0 through 20.0.0-alpha.2 and was fixed in version 20.0.0 released early last month. Those who cannot immediately update their endpoints should limit the network exposure of the Metro server.
If you’re using React Native with a framework that doesn’t rely on Metro as a development server, you’re not affected, he added. “This zero-day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements, and large attack surface,” JFrog researchers explained. “It also exposes critical risks hidden in third-party code.”
“For developers and security teams, this highlights the need for automated and comprehensive security scanning throughout the software supply chain to ensure easily exploitable vulnerabilities are fixed before they impact your organization.
At press time, there were no confirmed public reports indicating that CVE‑2025‑11953 had been exploited in the wild. Multiple sources indicate that while the vulnerability is highly exploitable, actual exploitation activity has not yet been verified.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
