Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
Warning: Critical React Native CLI vulnerability, Patch Immediately!
Image
Publié : 05/11/2025
Last update: 05/11/2025
Affected software: @react-native-community/cli-server-api package
Type: OS command injection
CVE/CVSS: CVE-2025-11953: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
JFrog: https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/
Risks
A critical vulnerability (CVE-2025-11953, CVSS 9.8) has been identified in the React Native Community CLI NPM package, widely used for building React Native applications. The flaw allows unauthenticated remote attackers to execute arbitrary system commands via specially crafted POST requests sent to the Metro development server.
The vulnerability is especially severe because it can be exploited over the network, not just from a developer’s local environment. Successful exploitation may grant attackers OS command execution with full parameter control on Windows and limited code execution on Linux and macOS systems.
The flaw is only exploitable against developers who use a vulnerable version of the NPM package and rely on the Metro development server.
Description
The JFrog Security Research team recently disclosed CVE-2025-11953, a critical remote code execution vulnerability (CVSS 9.8).
While the vulnerability is exploitable by default when initiating a react-native project using @react-native-community/cli, it is important to understand that not every developer that has this library installed as a dependency is necessarily vulnerable.
Specifically, developers who use React Native with a framework that doesn’t use Metro as the development server are typically not vulnerable.
The vulnerability directly affects the @react-native-community/cli-server-api package, versions 4.8.0 to 20.0.0-alpha.2, and is fixed since version 20.0.0.
Note that the affected package is commonly bundled with @react-native-community/cli in matching versions. As a result, projects using @react-native-community/cli versions 4.8.0 through 20.0.0 alpha.2 are likely to include vulnerable versions of @react-native-community/cli-server-api.
Researchers showed that on Windows the flaw can be used to run OS commands with complete control over the command and its arguments. On macOS and Linux, the issue allows launching arbitrary executables but only with restricted argument control; further research could potentially enable full command execution there as well.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
- Update @react-native-community/cli-server-api to version 20.0.0 or higher, which includes a fix for this vulnerability, in each of your react-native projects.
- For improved security, or if upgrading is not possible, bind the development server to the localhost interface explicitly.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version or implementing specific mitigations may protect against future exploitation, it does not remediate historic compromise.
References
SecurityWeek: https://www.securityweek.com/critical-flaw-in-popular-react-native-npm-package-exposes-developers-to-attacks/
TheHackerNews: https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.html