Security researchers at JFrog Ltd. disclosed a critical vulnerability in the React open-source JavaScript library developed by Meta Platforms Inc., posing a significant risk to developers, Silicon Angle reported.
The vulnerability, tracked as CVE-2025-11953, was found in the @react-native-community/cli NPM package, affecting over two million weekly downloads. It allows unauthenticated attackers to execute arbitrary commands on React Native development servers, potentially compromising developer environments. The flaw stems from unsafe user input handling in the CLI's /open-url endpoint, impacting Windows systems primarily but also posing risks to macOS and Linux installations. Meta was informed and has released patches for affected versions.
Developers are urged to update to secure versions promptly and, if unable to do so immediately, to mitigate risks by binding the development server to localhost.
Source: Silicon Angle
The vulnerability, tracked as CVE-2025-11953, was found in the @react-native-community/cli NPM package, affecting over two million weekly downloads. It allows unauthenticated attackers to execute arbitrary commands on React Native development servers, potentially compromising developer environments. The flaw stems from unsafe user input handling in the CLI's /open-url endpoint, impacting Windows systems primarily but also posing risks to macOS and Linux installations. Meta was informed and has released patches for affected versions.
Developers are urged to update to secure versions promptly and, if unable to do so immediately, to mitigate risks by binding the development server to localhost.
Source: Silicon Angle



