Find more live information in Aikido here: https://app.aikido.dev/queue?sidebarIssue=34758836&groupId=117496&sidebarIssueTask=5473247&sidebarTab=tasks
Scope
These issues affect the following code repository:
- components-react: package-lock.json
TLDR
Affected versions of the React Native Community CLI expose a Metro development server that binds to external interfaces and provides an endpoint vulnerable to OS command injection, allowing unauthenticated remote attackers to issue crafted POST requests that execute arbitrary executables. On Windows, attackers can further run arbitrary shell commands with fully controlled arguments.
https://security.aikido.dev/cve/AIKIDO-2025-10854
How to fix
Upgrade the @react-native-community/cli and @react-native-community/cli-server-api library to the patch version.
Find more live information in Aikido here: https://app.aikido.dev/queue?sidebarIssue=34758836&groupId=117496&sidebarIssueTask=5473247&sidebarTab=tasks
Scope
These issues affect the following code repository:
TLDR
Affected versions of the React Native Community CLI expose a Metro development server that binds to external interfaces and provides an endpoint vulnerable to OS command injection, allowing unauthenticated remote attackers to issue crafted POST requests that execute arbitrary executables. On Windows, attackers can further run arbitrary shell commands with fully controlled arguments.
https://security.aikido.dev/cve/AIKIDO-2025-10854
How to fix
Upgrade the
@react-native-community/cliand@react-native-community/cli-server-apilibrary to the patch version.