Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk

A critical security vulnerability, CVE-2025-11953, was discovered by the JFrog Security Research team in the @react-native-community/cli NPM package, widely used for developing React Native mobile applications, with around 2 million weekly downloads. This vulnerability allows remote unauthenticated attackers to execute arbitrary OS commands on the machine running the React Native development server, posing significant risks to developers. While the vulnerability is primarily associated with the @react-native-community/cli-server-api package, it affects versions 4.8.0 to 20.0.0-alpha.2 and is resolved in version 20.0.0. The vulnerability is particularly severe because the development server is exposed to external network attacks, allowing attackers to exploit the /open-url endpoint to execute arbitrary shell commands. To mitigate this, developers are advised to update the affected package or bind the server to the localhost interface. The issue highlights the importance of secure coding practices and the need for automated security scanning, with tools like JFrog's SAST facilitating the early detection and fixing of such vulnerabilities in the development process.