JFrog Uncovers Severe React Vulnerability Threat to Software Supply Chains
None
<p>The security research team at JFrog, a provider of a platform for building and deploying software, have discovered a <a href="https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/">critical vulnerability in a node package manager</a> (NPM) found in tools used by application developers that enable unauthenticated attackers to remotely trigger arbitrary operating system commands by sending a post request to a Metro server used to create JavaScript code.</p><p>The @react-native-community/cli NPM that contains the vulnerability is maintained by a React Native Community command line interface (CLI) project that provides tools that are widely used to build mobile applications.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><p>Assigned a vulnerability score of 9.8, the security team at Meta that maintains Metro have since remediated this vulnerability but DevSecOps teams are advised to make sure they are running the latest version.</p><p>Shachar Menashe, vice president of security research for JFrog, said the issue only affects application development teams that are using the CLI to build applications on a Metro server without installing the rest of the React framework. The CVE-2025-11953 vulnerability is also only exploitable from a local machine that is being used to access the @react-native-community/cli NPM running on a Metro server that is used to build JavaScript code.</p><p>The issue is that when CLI tools are used with an instance of Metro that has not been updated, the vulnerability is relatively trivial to exploit, said Menashe.</p><p>It’s not clear how widespread this issue is, but this NPM is typically downloaded more than two million times a week. However, not all those downloads might be accessing a Metro server.</p><p>The challenge, as always when it comes to securing software supply chains, is determining who is responsible for patching application development environments. Historically, cybersecurity teams have assumed development teams were staying current on updates made to the tools and platforms they rely on to build applications. In reality, a series of breaches involving software supply chains has shined a light on the need for cybersecurity teams to be more involved.</p><p>More troubling still, developers are now adopting AI coding tools that may prove to be even more vulnerable to, for example, prompt injection attacks that may prove to be even more lethal.</p><p>Each organization will need to determine how best to secure their software supply chains that are increasingly being targeted by cybercriminals that hope to distribute malware into any number of downstream applications built using tools and platforms that have known vulnerabilities that are easy to exploit.</p><p>Regulations pertaining to securing software supply chains are slowly becoming more stringent so it’s now only a matter of time before cybersecurity teams become more involved once more audits are conducted. In the meantime, however, whenever any of the vulnerabilities in a software supply chain is exploited the responsibility for cleaning up the ensuing mess still tends to fall more on the shoulders of the cybersecurity team rather than the application developer that downloaded the tool or platform that was the source of the vulnerability. As such, it’s in the best interest of those cybersecurity teams to ensure those tools and platforms are as secure as possible.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/jfrog-uncovers-severe-react-vulnerability-threat-to-software-supply-chains/" data-a2a-title="JFrog Uncovers Severe React Vulnerability Threat to Software Supply Chains"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fjfrog-uncovers-severe-react-vulnerability-threat-to-software-supply-chains%2F&linkname=JFrog%20Uncovers%20Severe%20React%20Vulnerability%20Threat%20to%20Software%20Supply%20Chains" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fjfrog-uncovers-severe-react-vulnerability-threat-to-software-supply-chains%2F&linkname=JFrog%20Uncovers%20Severe%20React%20Vulnerability%20Threat%20to%20Software%20Supply%20Chains" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fjfrog-uncovers-severe-react-vulnerability-threat-to-software-supply-chains%2F&linkname=JFrog%20Uncovers%20Severe%20React%20Vulnerability%20Threat%20to%20Software%20Supply%20Chains" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fjfrog-uncovers-severe-react-vulnerability-threat-to-software-supply-chains%2F&linkname=JFrog%20Uncovers%20Severe%20React%20Vulnerability%20Threat%20to%20Software%20Supply%20Chains" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2Fjfrog-uncovers-severe-react-vulnerability-threat-to-software-supply-chains%2F&linkname=JFrog%20Uncovers%20Severe%20React%20Vulnerability%20Threat%20to%20Software%20Supply%20Chains" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div>