Critical Remote Code Execution Vulnerability in React Native CLI
A critical vulnerability, tracked as CVE-2025-11953, was discovered in the @react-native-community/cli npm package, which is widely used for developing React Native mobile applications. The flaw, rated with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary operating system commands on machines running the React Native CLI's development server. The vulnerability stems from the Metro development server binding to external interfaces by default and exposing an /open-url endpoint that is susceptible to OS command injection. Attackers can exploit this by sending specially crafted POST requests, leading to remote code execution. On Windows systems, attackers can execute arbitrary shell commands with full argument control, while on Linux and macOS, arbitrary binaries can be executed with limited parameter control.
The issue affects versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package and has been patched in version 20.0.0. The vulnerability posed a significant risk to millions of developers, as the package receives up to 2 million downloads per week. The flaw has since been addressed, but organizations using affected versions are urged to update immediately to mitigate the risk of exploitation. The vulnerability was reported by JFrog researchers and publicly disclosed in early November 2025.
Timeline
Nov 6, 2025
Developers urged to mitigate by binding Metro server to localhost
Security coverage recommended immediate mitigation for unpatched environments by restricting the React Native development server to localhost instead of exposing it on all network interfaces. This guidance was issued alongside calls to update to secure versions.
Nov 6, 2025
Technical details reveal Metro server exposure and /open-url exploit path
Public reporting detailed that the Metro development server binds to 0.0.0.0 by default and that its /open-url endpoint passes attacker-controlled input to the open NPM package, enabling arbitrary OS command execution. Reports also noted Windows systems were especially at risk, though macOS and Linux could also be affected.
Nov 5, 2025
Meta releases patches for affected React Native CLI versions
Meta released fixes for the React Native CLI vulnerability, with reports indicating the issue is fixed in version 20.0.0. Developers were advised to upgrade to patched versions to prevent exploitation.
Nov 3, 2025
CVE-2025-11953 is publicly disclosed
CVE-2025-11953 was publicly listed as a high-severity vulnerability affecting React Native CLI, describing a command injection issue that allows remote attackers to achieve remote code execution by sending HTTP requests. Public disclosure established the issue as a tracked vulnerability.
Nov 3, 2025
JFrog researchers discover and disclose React Native CLI RCE flaw
JFrog researchers identified a critical command injection vulnerability in the @react-native-community/cli and its server API that could allow unauthenticated remote code execution through the Metro development server. The flaw was later tracked as CVE-2025-11953 and affects versions 4.8.0 through 20.0.0-alpha.2.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
1 more from sources like cvefeed high severity
Related Stories
Critical Vulnerabilities Exploited in 2025, Including React Native CLI Metro Dev Server RCE
Attackers in 2025 rapidly exploited both new and longstanding vulnerabilities, with mass scanning and weaponization occurring within hours of disclosure. The most targeted weaknesses included deserialization flaws, memory corruption in edge devices, and privilege escalation bugs, with some vulnerabilities—such as those in React Server Components and Microsoft WSUS—being compared to Log4Shell in terms of scale and impact. The Top 25 exploited vulnerabilities of the year highlighted systemic failures in patch management and asset visibility, as attackers leveraged both recent and decade-old flaws to gain initial access, deploy webshells, and compromise CI/CD pipelines. Among the most critical issues was CVE-2025-11953, a remote code execution vulnerability in the React Native Community CLI’s Metro development server. This flaw, caused by unsanitized user input in the `@react-native-community/cli-server-api` package, allowed unauthenticated attackers to execute arbitrary OS commands via exposed HTTP endpoints. The vulnerability posed significant supply chain risks to mobile app development environments, enabling attackers to compromise developer workstations, steal credentials, and potentially pivot into corporate networks. Multiple national CERTs and security vendors issued urgent alerts and mitigation guidance due to the high exploitability and widespread exposure of this vulnerability.
1 months ago
In-the-wild exploitation of React Native Metro4Shell (CVE-2025-11953) for remote code execution
Threat actors have been observed exploiting **CVE-2025-11953** (aka **Metro4Shell**), a critical RCE flaw (CVSS **9.8**) in the React Native **Metro Development Server** exposed via the `@react-native-community/cli` / `@react-native-community/cli-server-api` npm packages. The issue stems from Metro’s development-only `/open-url` HTTP endpoint accepting attacker-controlled input that can be passed unsanitized to an `open()` call; under default configurations Metro may bind to external interfaces, making developer systems reachable from the internet. JFrog disclosed the vulnerability in November 2025, and multiple proof-of-concept exploits emerged after public disclosure; affected versions were reported as `@react-native-community/cli-server-api` **4.8.0 through 20.0.0-alpha.2**, with a fix in **20.0.0+**. VulnCheck telemetry and honeypot/canary observations indicate operational exploitation beginning **Dec 21, 2025**, with repeat activity on **Jan 4** and **Jan 21, 2026**, delivering consistent payloads rather than one-off probing. Observed attacks used **Base64-encoded PowerShell** delivered in HTTP POST bodies to exposed endpoints; the script added **Microsoft Defender** exclusions (including the current working directory and `C:\Users\<Username>\AppData\Local\Temp`), established a raw TCP connection to `8.218.43[.]248:60124`, downloaded an additional payload to the temp directory, and executed it. The downloaded binary was described as **Rust-based** with anti-analysis checks, and exploitation attempts were reported as originating from `5.109.182[.]231`, `223.6.249[.]141`, and `134.209.69[.]155`, underscoring the risk of internet-exposed development infrastructure being used as an initial access vector.
1 months ago
Critical React Framework Vulnerability Enables Remote Code Execution and Supply Chain Risk
A maximum severity vulnerability, tracked as CVE-2025-55182, was discovered and patched in the React JavaScript framework, affecting all versions since 19.0. The flaw, stemming from insecure deserialization in React Server Components payload handling, allows unauthenticated remote code execution, putting millions of web applications and cloud environments at risk. Security researchers highlighted that exploit code is publicly available, and scans indicate that 39% of cloud environments contain vulnerable React instances or use similarly affected versions of Next.js, a related framework. The vulnerability has existed since at least November 2024, and its widespread impact has prompted urgent patching efforts across the industry. The incident has raised significant concerns about software supply chain security, as React is one of the most widely used front-end frameworks globally, with estimates of 55-87 million websites potentially affected. Cybersecurity experts warn that the increasing complexity and automation in software development, combined with the power of AI, are likely to make such vulnerabilities more frequent and severe. The rapid response from the developer community and security vendors underscores the critical nature of this flaw and the ongoing challenges in securing modern web infrastructure against sophisticated exploitation techniques.
1 months ago