Millions of developers could be open to attack after critical flaw exploited - here's what we know

News
By published

An npm package with 2 million weekly downloads found vulnerable

Security
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • CVE-2025-11953 allows OS command injection via Metro server in React Native CLI
  • Affects versions 4.8.0–20.0.0-alpha.2; patched in 20.0.0; exploit requires no authentication
  • No confirmed exploitation yet; restrict server exposure or update immediately

A widely popular npm package carried a critical severity vulnerability that allowed threat actors to, in certain scenarios, run malicious commands, experts have warned.

Cybersecurity researchers from JFrog say the package in question is called “@react-native-community/cli”, made to help developers build React Native mobile applications, and getting up to two million downloads a week.

On NVD, it is explained the Metro Development Server, opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint vulnerable to OS command injection, allowing threat actors to send a POST request and run arbitrary executables - meaning on Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments, and on Linux and macOS, on the other hand, it can execute arbitrary binaries with limited parameter control.

Acting like hacktivists

The bug is tracked as CVE-2025-11953, and has a severity score of 9.8/10 (critical). It affects package versions 4.8.0 through 20.0.0-alpha.2, and has been patched in version 20.0.0 released early last month. Those that cannot immediately update their endpoints should restrict network exposure of the Metro server.

If you are using React Native with a framework that doesn’t rely on Metro as a development server, you are not affected, it was further stated. "This zero day vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface," JFrog’s researchers explained. "It also exposes the critical risks hidden in third-party code."

"For developer and security teams, this underscores the need for automated, comprehensive security scanning across the software supply chain to ensure easily exploitable flaws are remediated before they impact your organization."

At press time, there were no confirmed public reports that CVE‑2025‑11953 had been exploited in the wild. Multiple sources indicate that while the vulnerability is highly exploitable, actual exploit activity hasn’t yet been verified.

Via The Hacker News

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.