Software supply chain security firm JFrog has disclosed the details of a critical vulnerability affecting a popular React Native NPM package.
React Native is an open source framework designed for creating applications that work across mobile, desktop and web platforms.
The vulnerability discovered by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS score of 9.8, impacts the React Native Community CLI NPM package (@react-native-community/cli), which provides command-line tools for building apps and which has roughly two million downloads every week.
According to JFrog, CVE-2025-11953 can put developers at risk, enabling unauthenticated threat actors to execute arbitrary commands with attacker-controlled parameters through POST requests sent to the targeted server.
“Unlike typical vulnerabilities in development servers that are only exploitable from a developer’s local machine, a second security issue that the team spotted in React Native’s core codebase, exposes the development server to external network attacks – making the former vulnerability a highly critical issue,” JFrog warned.
Researchers managed to exploit the vulnerability on Windows for arbitrary OS command execution with full parameter control. On Linux and macOS, the researchers achieved code execution with limited parameter control, but they believe the vulnerability may have a higher impact on these platforms as well.
JFrog pointed out that the flaw is only exploitable against developers who use a vulnerable version of the NPM package and rely on the Metro development server.
The security firm said the vulnerability was quickly patched by Meta, which is the original developer of React Native and which continues to be involved in its maintenance alongside a significant open source community and corporate contributors such as Microsoft.
A patch for CVE-2025-11953 is included in version 20.0.0. Users have been advised to update @react-native-community/cli-server-api to this version or higher in each of their projects.
Related: Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit
Related: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Times
Related: NPM Infrastructure Abused in Phishing Campaign Aimed at Industrial and Electronics Firms
