Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks

Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks

Posted on By CWS

Software program provide chain safety agency JFrog has disclosed the main points of a vital vulnerability affecting a well-liked React Native NPM package deal.

React Native is an open supply framework designed for creating purposes that work throughout cell, desktop and net platforms. 

The vulnerability found by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS rating of 9.8, impacts the React Native Group CLI NPM package deal (@react-native-community/cli), which offers command-line instruments for constructing apps and which has roughly two million downloads each week. 

In line with JFrog, CVE-2025-11953 can put builders in danger, enabling unauthenticated risk actors to execute arbitrary instructions with attacker-controlled parameters by means of POST requests despatched to the focused server.

“Not like typical vulnerabilities in improvement servers which are solely exploitable from a developer’s native machine, a second safety difficulty that the staff noticed in React Native’s core codebase, exposes the event server to exterior community assaults – making the previous vulnerability a extremely vital difficulty,” JFrog warned.

Researchers managed to take advantage of the vulnerability on Home windows for arbitrary OS command execution with full parameter management. On Linux and macOS, the researchers achieved code execution with restricted parameter management, however they consider the vulnerability might have the next impression on these platforms as nicely. 

JFrog identified that the flaw is simply exploitable in opposition to builders who use a susceptible model of the NPM package deal and depend on the Metro improvement server.

The safety agency stated the vulnerability was shortly patched by Meta, which is the unique developer of React Native and which continues to be concerned in its upkeep alongside a big open supply neighborhood and company contributors similar to Microsoft. Commercial. Scroll to proceed studying.

A patch for CVE-2025-11953 is included in model 20.0.0. Customers have been suggested to replace @react-native-community/cli-server-api to this model or increased in every of their initiatives. 

Associated: Shai-Hulud Provide Chain Assault: Worm Used to Steal Secrets and techniques, 180+ NPM Packages Hit

Associated: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Instances

Associated: NPM Infrastructure Abused in Phishing Marketing campaign Geared toward Industrial and Electronics Companies

Security Week News Tags:, , , , , , , , ,

Related Posts

US Seeks Forfeiture of .74M in Cryptocurrency Tied to North Korean IT Workers US Seeks Forfeiture of $7.74M in Cryptocurrency Tied to North Korean IT Workers Security Week News
SonicWall Hunts for Zero-Day Amid Surge in Firewall Exploitation SonicWall Hunts for Zero-Day Amid Surge in Firewall Exploitation Security Week News
Webinar Today: Rethinking Email Security for Mid-Sized Organizations Webinar Today: Rethinking Email Security for Mid-Sized Organizations Security Week News
US Student to Plead Guilty Over PowerSchool Hack US Student to Plead Guilty Over PowerSchool Hack Security Week News
GPT-5 Has a Vulnerability: Its Router Can Send You to Older, Less Safe Models GPT-5 Has a Vulnerability: Its Router Can Send You to Older, Less Safe Models Security Week News
Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues Security Week News