The vulnerability CVE-2025-11953 resides in the @react-native-community/cli npm package, specifically in the Metro development server component used by React Native developers to build JavaScript code and assets. The Metro server binds to external network interfaces by default rather than localhost, exposing an /open-url HTTP POST endpoint. This endpoint accepts user input that is passed unsafely to the open() function from the open NPM package, which internally executes OS commands to open URLs or files. Due to improper sanitization and validation, an attacker can craft a malicious POST request to this endpoint to inject arbitrary OS commands, leading to remote code execution (RCE) on the developer's machine. On Windows, attackers can execute arbitrary shell commands with full argument control, while on Linux and macOS, they can execute arbitrary binaries with limited parameter control. The flaw requires no authentication or user interaction, making exploitation straightforward over the network. The package is maintained by Meta and is widely used, with 1.5 to 2 million weekly downloads, amplifying the risk. The vulnerability was patched in version 20.0.0, but versions from 4.8.0 to 20.0.0-alpha.2 remain vulnerable. The flaw highlights risks in third-party dependencies and the importance of securing software supply chains. No known exploits in the wild have been reported yet, but the criticality and ease of exploitation make it a high-priority threat.

For European organizations, this vulnerability poses a significant risk primarily to software development teams using React Native with the vulnerable CLI and Metro server. Exploitation could lead to remote code execution on developer machines, potentially allowing attackers to steal source code, inject malicious code into applications, or pivot into corporate networks. This could compromise intellectual property, lead to supply chain attacks, and disrupt development workflows. Organizations relying on React Native for mobile app development, especially those with distributed or remote development environments, face increased exposure. The vulnerability could also be leveraged to deploy malware or ransomware within corporate networks. Given the widespread use of React Native in Europe’s tech sector and startups, the impact could be broad, affecting software integrity and availability. The lack of authentication and ease of exploitation increase the likelihood of opportunistic attacks, making timely patching and network controls essential to prevent compromise.

1. Immediately upgrade the @react-native-community/cli package to version 20.0.0 or later where the vulnerability is patched. 2. Restrict network access to the Metro development server by binding it explicitly to localhost or using firewall rules to block external access to the development server ports. 3. Implement network segmentation to isolate developer machines and development servers from sensitive production environments. 4. Use automated dependency scanning tools to detect vulnerable versions of @react-native-community/cli and other npm packages in development environments. 5. Educate developers about the risks of exposing development servers to external networks and enforce secure development environment configurations. 6. Monitor network traffic for suspicious POST requests to the /open-url endpoint or unusual command execution patterns on developer machines. 7. Employ endpoint detection and response (EDR) solutions to detect and respond to anomalous OS command executions. 8. Review and harden software supply chain security practices to reduce risks from third-party dependencies. 9. Consider disabling or replacing the Metro server with alternative build tools if feasible, especially in high-risk environments.