Security researchers at software supply chain company JFrog Ltd. have revealed details of a critical vulnerability in React, the open-source JavaScript library developed by Meta Platforms Inc., that potentially puts millions of developers at risk of remote code execution.
The JFrog Security Research team discovered the vulnerability in the widely used @react-native-community/cli NPM package, which is downloaded more than 2 million times weekly. Tracked as CVE-2025-11953, this flaw carries a critical Common Vulnerability Scoring System (CVSS) score of 9.8.
When exploited, the vulnerability allows unauthenticated attackers to execute arbitrary operating system commands on machines running the React Native development server (Metro). This can lead to serious compromises in developer environments.
The root of the issue lies within React Native’s core codebase, specifically exposing the server to external networks—even when development servers are deployed locally. This makes the risk associated with the vulnerability particularly severe.
The vulnerability stems from unsafe handling of user-supplied input in the CLI’s /open-url endpoint, which passes unsanitized data to the `open` function from the NPM package open. While the issue primarily affects Windows—enabling attackers to run arbitrary shell commands such as launching `calc.exe`—in theory, macOS and Linux installations could also be vulnerable.
Meta was notified of the vulnerability prior to JFrog’s public disclosure, and patches have since been released. The flaw impacts @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2. A fix is included in version 20.0.0 and later.
Developers unsure about the version of React they are using can check their projects by running the following commands:
“`
npm list @react-native-community/cli-server-api
npm list -g @react-native-community/cli-server-api
“`
For those unable to update immediately, JFrog’s researchers recommend mitigating the risk by explicitly binding the development server to localhost using this command:
“`
npx react-native start –host 127.0.0.1
“`
The researchers emphasized the broader implications of this vulnerability, stating:
“This vulnerability shows that even straightforward Remote Code Execution flaws, such as passing user input to the system shell, are still found in real-world software, especially in cases where the dangerous sink function actually resides in third-party code, which was the imported ‘open’ function in this case. It’s a reminder that secure coding practices and automated security scanning are essential for preventing these easily exploitable flaws before they make it to production.”
*Image: SiliconANGLE/Ideogram*
https://siliconangle.com/2025/11/04/jfrog-discloses-cvss-9-8-react-vulnerability-putting-millions-developers-risk/