Skip to content

Major upgrade for @react-native-community/cli #2

Description

@hosseinqadiri

Find more live information in Aikido here: https://app.aikido.dev/queue?sidebarIssue=34758836&groupId=117496&sidebarIssueTask=5473247&sidebarTab=tasks

Scope

These issues affect the following code repository:

  • components-react: package-lock.json

TLDR

Affected versions of the React Native Community CLI expose a Metro development server that binds to external interfaces and provides an endpoint vulnerable to OS command injection, allowing unauthenticated remote attackers to issue crafted POST requests that execute arbitrary executables. On Windows, attackers can further run arbitrary shell commands with fully controlled arguments.
https://security.aikido.dev/cve/AIKIDO-2025-10854

How to fix

Upgrade the @react-native-community/cli and @react-native-community/cli-server-api library to the patch version.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions