Critical vulnerability in React Native development tool actively exploited

Critical vulnerability in React Native development tool actively exploited

Briefly

"Attackers are actively exploiting a critical vulnerability in React Native's Metro server to infiltrate development environments. The vulnerability, CVE-2025-11953, allows malicious actors to execute code on Windows and Linux systems via exposed development servers. Metro is React Native's default JavaScript bundler during application development and testing. In many configurations, this server runs locally, but by default, Metro can also bind to external network interfaces. This makes HTTP endpoints available that are intended for development. It is precisely this functionality that now constitutes an attack vector,"

"Researchers discovered that the /open-url endpoint accepts POST requests with a supplied URL that is passed on to an internal function without being checked. This allows an attacker on Windows to execute arbitrary system commands without authentication. On Linux and macOS, it is possible to launch executable files, with limited control over parameters. The issue affects versions of @react-native-community/cli-server-api from 4.8.0 through 20.0.0-alpha.2. The vulnerability has been fixed in version 20.0.0 and newer, but many development environments appear to still be vulnerable."