Software supply chain security firm JFrog has disclosed the details of a critical vulnerability affecting a popular React Native NPM package.
React Native is an open source framework designed for creating applications that work across mobile, desktop and web platforms.
The vulnerability discovered by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS score of 9.8, impacts the React Native Community CLI NPM package (@react-native-community/cli), which provides command-line tools for building apps and which has roughly two million downloads every week.
https://www.securityweek.com/critical-f ... o-attacks/