Critical remote code execution flaw reported in React Native CLI
Take action: If you're a React Native developer, update @react-native-community/cli-server-api to version 20.0.0 or higher. There's a flaw which lets attackers on the same network execute commands on your development machine if you are running Metro development server. If you can't update right away, start your Metro server with the --host 127.0.0.1 flag (like `npx react-native start --host 127.0.0.1`) to block external network access until you can apply the security patch. Make sure to patch all projects on your computer and the globally installed version.
Learn More
The JFrog Security Research team is reporting a critical security vulnerability affecting the React Native development framework that could allow remote unauthenticated attackers to execute arbitrary operating system commands on developer machines.
The vulnerability is found in the @react-native-community/cli NPM package, which is part of the React Native Community CLI project that was extracted from the core React Native codebase several years ago to improve maintainability. This command-line interface toolkit provides essential tools that developers rely on daily for initializing projects, running development servers, and building mobile applications.
The flaw is tracked as CVE-2025-11953 (CVSS score: 9.8), and is caused by unsafe handling of user-supplied input in the Metro development server's /open-url endpoint. When developers run the Metro development server using commands such as npm start, npm run android, npx react-native start, or similar commands, the server creates an HTTP endpoint at /open-url that accepts POST requests containing a URL parameter. This endpoint takes user-provided input from the request body and passes it directly to the open() function from the open NPM package version 6.4.0 without any sanitization or validation. The open() function is designed to open files or URLs using the system's default applications, but when provided with malicious input, it can be exploited to execute arbitrary commands on the underlying operating system.
On Windows systems, the vulnerability enables full arbitrary shell command execution with complete parameter control. When the open() function processes the malicious input, it constructs and executes Windows cmd.exe commands using the format cmd /c start "" /b [user_input].
Attackers can use this to execute any Windows command by crafting payloads such as cmd /c echo malicious_code > file.txt or launching arbitrary executables like calc.exe.
On macOS and Linux systems, the attack surface differs slightly due to how these operating systems handle the open and xdg-open commands respectively. Full arbitrary command execution may require additional research on these platforms but attackers can still execute arbitrary binaries with limited parameter control, potentially exploiting URI scheme handlers, executing local files through file:// URIs, or accessing remote files via SMB or WebDAV protocols.
Compounding the severity of this vulnerability is a second security issue discovered in React Native's core codebase. The Metro development server, despite displaying a message claiming it starts on localhost (127.0.0.1), actually binds to all network interfaces by default (0.0.0.0 for IPv4 and :: for IPv6).
This network exposure transforms what might have been a local-only vulnerability into a remotely exploitable critical flaw, allowing attackers on the same network or even potentially from the internet to target vulnerable development servers.
Affected versions are
- @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 are vulnerable to this critical security flaw.
- Projects using @react-native-community/cli versions 4.8.0 through 20.0.0-alpha.2 are likely affected, as the vulnerable cli-server-api package is commonly bundled with these versions.
The vulnerability has been fixed in @react-native-community/cli-server-api version 20.0.0, released in early October 2025.
Developers are vulnerable if they initiated their React Native project with an affected version of @react-native-community/cli and run the Metro development server using commands such as npm start, npm run start/android/ios/windows/macos, npx react-native start/run-android/run-ios/run-windows/run-macos, or npx @react-native-community/cli start.
It is important to note that not every developer with this library installed as a dependency is necessarily vulnerable. Developers who use React Native with frameworks like Expo that don't utilize Metro as the development server are typically not affected by this vulnerability.
Developers can check whether the vulnerable package exists in their NodeJS projects by navigating to the project folder and running npm list @react-native-community/cli-server-api. The package may also be globally installed on systems, which can be verified by running npm list -g @react-native-community/cli-server-api.
JFrog recommends that all affected developers update @react-native-community/cli-server-api to version 20.0.0 or higher in each React Native project. This can be accomplished by updating the package dependencies and running npm install or yarn install to apply the changes.
For developers who can't upgrade or require improved security posture, an effective workaround is to explicitly bind the development server to the localhost interface only. This can be done by including the --host 127.0.0.1 flag when starting the server, using commands such as npx react-native start --host 127.0.0.1 or npx @react-native-community/cli start --host 127.0.0.1. This workaround prevents the server from accepting connections from external network interfaces, significantly reducing the attack surface while maintaining full local development functionality.
