Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks

Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could be potentially exploited to run malicious operating system OS commands under certain conditions. "The vulnerability allows remote unauthenticated attackers to easily...

Malicious code in react-paypal-braintree-demo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1ebbf8ad1d1a557ec443c0f6ea58587954750259557188b27491cca78c7e9ea7 The package react-paypal-braintree-demo was found to contain malicious code. Source: ossf-package-analysis...

@react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary...

GHSA-399J-VXMF-HJVR @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary...

CVE-2025-11953

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary...

CVE-2025-11953 Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary...

CVE-2025-11953

The CVE-2025-11953 issue affects the React Native Community CLI Server API Node.js Package (versions 4.8.0 up to, but not including, 20.0.0). The Metro Development Server bound to external interfaces exposes an endpoint vulnerable to OS command injection, enabling unauthenticated network attacker...

CVE-2025-11953 Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary...

React Native Community CLI 安全漏洞

React Native Community CLI is an open source command line tool for React Native Community. A security vulnerability exists in the React Native Community CLI, which stems from a default binding to an external interface and an OS command injection vulnerability in the endpoint, which could allow an...

Malicious code in react-ui-animates (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector faea1c84618f620702405ada06f82a0352d57b6f8544e33b87cde589284b5ef1 The package react-ui-animates was found to contain malicious code. Source: ghsa-malware...

MAL-2025-49329 Malicious code in react-ui-animates (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector faea1c84618f620702405ada06f82a0352d57b6f8544e33b87cde589284b5ef1 The package react-ui-animates was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-37461

Malicious code in react-ui-animates npm...

Malicious Package

Overview react-icon-pkg is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview icon-react-fork is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in react-icon-pkg (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d8ba17d7a373063f5a6120fd27a52bb855006bd5f440ee5d2f287cccaeb6bd5 The package react-icon-pkg was found to contain malicious code. Source: ghsa-malware ce6d8c074bdec68ae646e31b821c3896f805e01c46c5464e8db624d09e133205...

Malicious code in icon-react-fork (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ad97a4843ca8933070ecec7c05bf536be6b6a80d87925026a6b7be938fd264f7 The package icon-react-fork was found to contain malicious code. Source: ghsa-malware 32d3f4313eda9d40aff4d3624d6f7f534df05b45f0f282fab8e0f8211c1a38c...

MAL-2025-49261 Malicious code in icon-react-fork (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ad97a4843ca8933070ecec7c05bf536be6b6a80d87925026a6b7be938fd264f7 The package icon-react-fork was found to contain malicious code. Source: ghsa-malware 32d3f4313eda9d40aff4d3624d6f7f534df05b45f0f282fab8e0f8211c1a38c...

EUVD-2025-37246

Malicious code in react-icon-pkg npm...

EUVD-2025-37247

Malicious code in icon-react-fork npm...

MAL-2025-49264 Malicious code in react-icon-pkg (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d8ba17d7a373063f5a6120fd27a52bb855006bd5f440ee5d2f287cccaeb6bd5 The package react-icon-pkg was found to contain malicious code. Source: ghsa-malware ce6d8c074bdec68ae646e31b821c3896f805e01c46c5464e8db624d09e133205...