Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerability in React Native CLI NPM Package

5 November 2025

Security researchers have identified a critical vulnerability in the React Native CLI NPM package. Developers of affected product versions are strongly advised to update to the latest versions immediately.

Background

Security researchers have identified a critical vulnerability (CVE-2025-11953) in the React Native CLI NPM package. This vulnerabilitiy has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.

Impact

Successful exploitation allows an unauthenticated attacker to send a specially crafted POST request to the server and perform arbitrary shell commands with full parameter control on Windows systems and arbitrary binaries with limited parameter control on Linux and macOS.

Affected Products

The vulnerability affects products that fulfil the following conditions:

  • Developers initiating their React Native project with react-native-community/cli-server-api package, versions 4.8.0 to 20.0.0-alpha.2; and

  • Developers running the Metro development server via one of the following or similar commands:

  •  npm start

  •  npm run [start|android|ios|windows|macos]

  •  npx react-native [start|run-android|run-ios|run-windows|run-macos]

  •  npx @react-native-community/cli [start|run-android|run-ios|run-windows|run-macos]

Developers who use React Native with a framework that does not use Metro as the development server are typically not vulnerable.

To check if the vulnerable package exists in a specific NodeJS project:

  • cd {Project Folder}

  • npm list @react-native-community/cli-server-api

The package may also be globally installed on the system, which can be checked by running:

  • npm list -g @react-native-community/cli-server-api

Mitigation

Users and administrators of affected product versions are strongly advised to update to the latest version immediately.

Workaround

If immediate patching is not feasible, administrators may wish to bind the development server to the local host interface explicitly, by including the “–host 127.0.0.1” flag, per the commands below:

  • npx react-native start --host 127.0.0.1

  • npx @react-native-community/cli start --host 127.0.0.1

References

https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/

https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547?_gl=1*1azbrg8*_gcl_au*MTk5NDkxMjU1LjE3NjIzMjEzMTI.*FPAU*MTk5NDkxMjU1LjE3NjIzMjEzMTI.*_ga*MzQxMDc3NjMwLjE3NjIzMjEzMTM.*_ga_SQ1NR9VTFJ*czE3NjIzMjEzMTMkbzEkZzAkdDE3NjIzMjEzMTQkajU5JGwwJGgyMzYwMDI3MDY.*_fplc*MGU4cCUyRmZTTTNSZEJRdHVhUmVEWTExbHFxQkJDZUNLSTJNRzBxTk13TVNDa3NKUHElMkZESWp3JTJGMCUyQkI3SG1YZmVBJTJGMSUyRjBIVTBJbnlhWnlYZ1dRZGU4emV2QUg5NVhVeXlsTE5VaU9YQXRkck5KUWhza0hjTHJOQkZxMG1oT2lnJTNEJTNE

https://thehackernews.com/2025/11/critical-react-native-cli-flaw-exposed.html

https://nvd.nist.gov/vuln/detail/CVE-2025-11953

Back to top