CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Application Security

Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks

Arbitrary command/code execution has been demonstrated through the exploitation of CVE-2025-11953 on Windows, macOS and Linux. The post Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks appeared first on SecurityWeek.

Developer security vulnerability

Software supply chain security firm JFrog has disclosed the details of a critical vulnerability affecting a popular React Native NPM package.

React Native is an open source framework designed for creating applications that work across mobile, desktop and web platforms. 

The vulnerability discovered by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS score of 9.8, impacts the React Native Community CLI NPM package (@react-native-community/cli), which provides command-line tools for building apps and which has roughly two million downloads every week. 

According to JFrog, CVE-2025-11953 can put developers at risk, enabling unauthenticated threat actors to execute arbitrary commands with attacker-controlled parameters through POST requests sent to the targeted server.

“Unlike typical vulnerabilities in development servers that are only exploitable from a developer’s local machine, a second security issue that the team spotted in React Native’s core codebase, exposes the development server to external network attacks – making the former vulnerability a highly critical issue,” JFrog warned.

Researchers managed to exploit the vulnerability on Windows for arbitrary OS command execution with full parameter control. On Linux and macOS, the researchers achieved code execution with limited parameter control, but they believe the vulnerability may have a higher impact on these platforms as well. 

JFrog pointed out that the flaw is only exploitable against developers who use a vulnerable version of the NPM package and rely on the Metro development server.

The security firm said the vulnerability was quickly patched by Meta, which is the original developer of React Native and which continues to be involved in its maintenance alongside a significant open source community and corporate contributors such as Microsoft. 

A patch for CVE-2025-11953 is included in version 20.0.0. Users have been advised to update @react-native-community/cli-server-api to this version or higher in each of their projects. 

Related: Shai-Hulud Supply Chain Attack: Worm Used to Steal Secrets, 180+ NPM Packages Hit

Related: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Times

Related: NPM Infrastructure Abused in Phishing Campaign Aimed at Industrial and Electronics Firms

Latest News

CYBERNEWSMEDIAPublisher