In November 2025, researchers disclosed a critical vulnerability (CVE‑2025‑11953) in the @react-native-community/cli package used for React Native development. The flaw allowed unauthenticated attackers to execute OS commands via the /open-url endpoint in the Metro development server, affecting versions 4.8.0 through 20.0.0‑alpha.2. With a CVSS score of 9.8, this vulnerability posed a severe risk to any development environment using vulnerable versions.
Developers should immediately upgrade to a patched version of the CLI (20.0.0 or later) and avoid exposing development servers to untrusted networks. Supply chain security is critical; always verify the integrity of open‑source packages and monitor for security advisories. Use automated tooling like software composition analysis (SCA) to identify vulnerable dependencies and apply updates promptly.
This incident underscores the need for secure coding practices and DevSecOps. Incorporate security checks into CI/CD pipelines, including static and dynamic analysis, dependency scanning, and unit tests. Educate developers about secure coding guidelines and encourage them to question dependencies. By proactively managing your development environment, you reduce the likelihood of a vulnerability like CVE‑2025‑11953 impacting your organisation.
