A critical security flaw in the β@react-native-community/cliβ npm package has been patched, which allowed remote attackers to execute arbitrary OS commands. The vulnerability, CVE-2025-11953, posed a significant risk due to its ease of exploitation and broad attack surface. #ReactNative #CVE202511953
Keypoints
- The vulnerability affected the β@react-native-community/cli-server-apiβ package versions 4.8.0 to 20.0.0-alpha.2.
- It allowed attackers to trigger OS command execution via the β/open-urlβ endpoint on the Metro development server.
- The flaw was related to the unsafe handling of user input passed to the open() function, leading to command injection.
- The vulnerability was exploited through specially crafted POST requests without requiring authentication.
- Developers are advised to use updated versions and implement automated security scans in their supply chain.
Read More: https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.html