Software program provide chain safety agency JFrog has disclosed the main points of a vital vulnerability affecting a well-liked React Native NPM package deal.
React Native is an open supply framework designed for creating purposes that work throughout cell, desktop and net platforms.
The vulnerability found by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS rating of 9.8, impacts the React Native Group CLI NPM package deal (@react-native-community/cli), which offers command-line instruments for constructing apps and which has roughly two million downloads each week.
In line with JFrog, CVE-2025-11953 can put builders in danger, enabling unauthenticated risk actors to execute arbitrary instructions with attacker-controlled parameters by means of POST requests despatched to the focused server.
“Not like typical vulnerabilities in improvement servers which are solely exploitable from a developer’s native machine, a second safety difficulty that the staff noticed in React Native’s core codebase, exposes the event server to exterior community assaults – making the previous vulnerability a extremely vital difficulty,” JFrog warned.
Researchers managed to take advantage of the vulnerability on Home windows for arbitrary OS command execution with full parameter management. On Linux and macOS, the researchers achieved code execution with restricted parameter management, however they consider the vulnerability might have the next impression on these platforms as nicely.
JFrog identified that the flaw is simply exploitable in opposition to builders who use a susceptible model of the NPM package deal and depend on the Metro improvement server.
The safety agency stated the vulnerability was shortly patched by Meta, which is the unique developer of React Native and which continues to be concerned in its upkeep alongside a big open supply neighborhood and company contributors similar to Microsoft. Commercial. Scroll to proceed studying.
A patch for CVE-2025-11953 is included in model 20.0.0. Customers have been suggested to replace @react-native-community/cli-server-api to this model or increased in every of their initiatives.
Associated: Shai-Hulud Provide Chain Assault: Worm Used to Steal Secrets and techniques, 180+ NPM Packages Hit
Associated: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Instances
Associated: NPM Infrastructure Abused in Phishing Marketing campaign Geared toward Industrial and Electronics Companies
