Security researchers at software supply chain company JFrog Ltd. today revealed details of a critical vulnerability in React, the open-source JavaScript library developed by Meta Platforms Inc., that potentially puts millions of developers at risk of remote code execution.

The JFrog Security Research team found the vulnerability in the popular @react-native-community/cli NPM package, which is downloaded more than 2 million times a week. Tracked as CVE-2025-11953, the vulnerability has a Common Vulnerability Scoring System score of 9.8, or critical.

The vulnerability, when exploited, allows unauthenticated attackers to execute arbitrary operating system commands on machines running the React Native development server (Metro) and can compromise developer environments.

The issue itself was found in React Native’s core codebase and can expose the server to external networks, notably even when development servers are deployed locally, making the risk from the vulnerability particularly severe.

The vulnerability was due to unsafe handling of user-supplied input in the CLI’s /open-url endpoint, which passes unsanitized data to the open() function from the NPM package open. The issue primarily affects Windows, where the vulnerability can be exploited to run arbitrary shell commands such as launching calc.exe, although in theory, it could also affect installations on macOS and Linux.

The vulnerability was disclosed to Meta before JFrog went public with the details and has been patched in new releases.

The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2. A fix is available in version 20.0.0 and later. Developers who are unsure what version of React they are using can check their projects by running npm list @react-native-community/cli-server-api or npm list -g @react-native-community/cli-server-api to determine if vulnerable versions are present.

Those who are unable to immediately update their React deployments are advised by JFrog’s researchers to mitigate the risk by explicitly binding the development server to localhost using the command npx react-native start –host 127.0.0.1.

“This vulnerability shows that even straightforward Remote Code Execution flaws, such as passing user input to the system shell, are still found in real-world software, especially in cases where the dangerous sink function actually resides in third-party code, which was the imported ‘open’ function in this case,” the researchers conclude. “It’s a reminder that secure coding practices and automated security scanning are essential for preventing these easily exploitable flaws before they make it to production.”

Image: SiliconANGLE/Ideogram