Critical RCE Vulnerability Discovered in React Native Community CLI NPM Package with 2M Weekly Downloads

JFrog Security Research team demonstrates CVE-2025-11953 allows unauthenticated attackers to remotely execute code on developers’ machines, putting organisations at risk

Threat Intelligence

Posted: Wednesday, Nov 05

KBI.Media
$
Critical RCE Vulnerability Discovered in React Native Community CLI NPM Package with 2M Weekly Downloads

Critical RCE Vulnerability Discovered in React Native Community CLI NPM Package with 2M Weekly Downloads

JFrog Ltd (Nasdaq: FROG), the Liquid Software company and creators of the award-winning JFrog Software Supply Chain Platform, today announced the discovery of a critical remote code execution (RCE) vulnerability (CVSS 9.8) affecting react-native, a popular open-source framework for developing cross-platform mobile applications.

The vulnerability was found in a package which is part of the broader React Native Community CLI project widely used by developers. The CLI is a collection of command line tools that help developers build React Native mobile applications. CVE-2025-11953 allows unauthenticated attackers on the same network to remotely execute arbitrary operating system commands on a developer’s machine while the CLI’s development server is running. This risk is amplified by a second vulnerability, CVE-2025-11953, which exposes the development server to external network attacks, making the former vulnerability a highly critical issue.

“This critical vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface. It also exposes the critical risks hidden in third-party code,” said Or Peles, Senior Security Researcher, JFrog. “For developer and security teams, this underscores the need for automated, comprehensive security scanning across the software supply chain to ensure easily exploitable flaws are remediated before they impact your organisation.”

On Windows machines, this vulnerability enables arbitrary OS command execution with full parameter control, allowing attackers to run any arbitrary command by manipulating the url parameter in a POST request to the /open-url endpoint. On Linux and macOS, it enables execution of arbitrary executables with limited parameter control, though full parameter control may also be possible with further research.

How can CVE-2025-11953 be mitigated?

Performing the following steps will mitigate CVE-2025-11953:

Update @react-native-community/cli-server-api to version 20.0.0, which includes a fix for CVE-2025-11953, in each of your react-native projects. This is the recommended solution.
Update @react-native/community-cli-plugin to version 20.0.0, to ensure the development server does not bind to external network interfaces by default.

To view the full technical analysis and complete mitigation steps, visit the blog here: jfrog.com/blog/CVE-2025-11953-critical-react-native-community-cli-vulnerability