A crucial remote-code execution (RCE) flaw within the extensively used @react-native-community/cli (and its server API) lets attackers run arbitrary OS instructions through the Metro growth server, the default JavaScript bundler for React Native.
In essence, launching the event server by customary instructions (eg, npm begin or npx react-native begin) may expose the machine to exterior attackers, as a result of the server binds to all community interfaces by default (0.0.0.0), relatively than limiting itself to “localhost” because it says within the console message.
In keeping with JFrog researchers, the bug is a extreme problem threatening builders of React Native apps. Whereas exploitation on Home windows is well-demonstrated (full OS command execution through unsafe open() name), the macOS/Linux paths are presently much less easy–although the danger stays actual and topic to additional analysis.
A repair is accessible, however growth groups should transfer quick, JFrog researchers warned in a weblog submit.
Weak growth server defaults
The vulnerability arises as a result of the Metro growth server, which began utilizing the CLI device, exposes a “/open-url” HTTP endpoint that takes a URL parameter from a POST request and passes it on to the “open()” perform within the open NPM package deal. On Home windows, this will spawn an “smd /c..” name, enabling arbitrary command execution.
Including to the issue is a misconfiguration in CLI, which prints that the server is listening on “localhost”, however beneath the hood, the host values find yourself undefined, and the server listens on 0.0.0.0 by default, opening it to all exterior networks.
This mix of insecure default binding and the flawed open() name creates the situations for distant code execution, one thing uncommon and harmful in a development-only device.
“This vulnerability reveals that even easy Distant Code Execution flaws, corresponding to passing consumer enter to the system shell, are nonetheless present in real-world software program, particularly in instances the place the harmful sink perform truly resides in Third-party code, which was the imported “open” perform on this case,” the researchers mentioned.
The bug, tracked as CVE-2025-11953, is assigned a CVSS rating of 9.8 out of 10, and impacts variations 4.8.0 by 20.0.0-alpha.2.
What builders should do now?
Builders utilizing @react-native-community/cli (or the bundled cli-server-api) of their React Native initiatives ought to examine for the susceptible package deal model on the npm record. The vulnerability is fastened in model 20.0.0 of cli-server-api, so quick updating is beneficial.
The stakes embrace an attacker remotely executing instructions on the sufferer’s growth machine, probably resulting in broader community entry, code corruption or injecting malicious payloads into an app construct. If updating isn’t possible immediately, JFrog suggested limiting the dev server to localhost by explicitly passing the “–host 127.0.0.1” flag to scale back publicity.
“It’s a reminder that safe coding practices and automatic security scanning are important for stopping these simply exploitable flaws earlier than they make it to manufacturing,” the researchers mentioned, recommending JFrog SAST for figuring out points early within the growth course of.
The React Native CLI flaw mirrors a broader development of attackers slipping into developer ecosystems, from npm packages with hidden payloads to rogue “verified” IDE extensions, turning trusted construct instruments into stealthy factors of entry.
