Arbitrary command/code execution has been demonstrated through the exploitation of CVE-2025-11953 on Windows, macOS and Linux.
November 4, 2025 By Eduard Kovacs
Software supply chain security firm JFrog has disclosed the details of a critical vulnerability affecting a popular React Native NPM package.
React Native is an open source framework designed for creating applications that work across mobile, desktop and web platforms.
The vulnerability discovered by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS score of 9.8, impacts the React Native Community CLI NPM package (@react-native-community/cli), which provides command-line tools for building apps and which has roughly two million downloads every week.
According to JFrog, CVE-2025-11953 can put developers at risk, enabling unauthenticated threat actors to execute arbitrary commands with attacker-controlled parameters through POST requests sent to the targeted server.
“Unlike typical vulnerabilities in development servers that are only exploitable from a developer’s local machine, a second security issue that the team spotted in React Native’s core codebase, exposes the development server to external network attacks – making the former vulnerability a highly critical issue,” JFrog warned.
