Sydney, Australia – November 5, 2025 — JFrog Ltd (Nasdaq: FROG), the Liquid Software company and creators of the award-winning JFrog Software Supply Chain Platform, today announced the discovery of a critical remote code execution (RCE) vulnerability (CVSS 9.8) affecting react-native, a popular open-source framework for developing cross-platform mobile applications.
The vulnerability was found in a package which is part of the broader React Native Community CLI project widely used by developers. The CLI is a collection of command line tools that help developers build React Native mobile applications. CVE-2025-11953 allows unauthenticated attackers on the same network to remotely execute arbitrary operating system commands on a developer’s machine while the CLI’s development server is running. This risk is amplified by a second vulnerability, CVE-2025-11953, which exposes the development server to external network attacks, making the former vulnerability a highly critical issue.
“This critical vulnerability is particularly dangerous due to its ease of exploitation, lack of authentication requirements and broad attack surface. It also exposes the critical risks hidden in third-party code,” said Or Peles, Senior Security Researcher, JFrog. “For developer and security teams, this underscores the need for automated, comprehensive security scanning across the software supply chain to ensure easily exploitable flaws are remediated before they impact your organisation.”
On Windows machines, this vulnerability enables arbitrary OS command execution with full parameter control, allowing attackers to run any arbitrary command by manipulating the url parameter in a POST request to the /open-url endpoint. On Linux and macOS, it enables execution of arbitrary executables with limited parameter control, though full parameter control may also be possible with further research.
How can CVE-2025-11953 be mitigated?
Performing the following steps will mitigate CVE-2025-11953:
- Update @react-native-community/cli-server-api to version 20.0.0, which includes a fix for CVE-2025-11953, in each of your react-native projects. This is the recommended solution.
- Update @react-native/community-cli-plugin to version 20.0.0, to ensure the development server does not bind to external network interfaces by default.
To view the full technical analysis and complete mitigation steps, visit the blog here: jfrog.com/blog/CVE-2025-11953-critical-react-native-community-cli-vulnerability
About JFrog
JFrog Ltd. (Nasdaq: FROG), is on a mission to create a world of software continuously delivered without friction from GenAI-powered developers to the distributed edge in a single solution. The JFrog Software Supply Chain Platform is a system of record for DevOps, DevSecOps and MLOps that powers organisations to build, manage, and distribute software quickly and securely, ensuring it is always available, traceable, governable and tamper-proof. Fuelled by JFrog Artifactory as the single source of truth for digital businesses’ assets, JFrog’s cloud-native and hybrid platform is available across major cloud service providers’ marketplaces. Millions of users and 7K+ customers worldwide – including the majority of the Fortune 100 – depend on JFrog solutions to securely embrace digital transformation at scale in the AI era. Learn more at www.jfrog.com or follow us on X @JFrog.
Techedge AI is a niche publication dedicated to keeping its audience at the forefront of the rapidly evolving AI technology landscape. With a sharp focus on emerging trends, groundbreaking innovations, and expert insights, we cover everything from C-suite interviews and industry news to in-depth articles, podcasts, press releases, and guest posts. Join us as we explore the AI technologies shaping tomorrow’s world.
