A severe security flaw has been found in the "@react-native-community/cli" npm package, used widely in developing React Native applications. This vulnerability, identified as CVE-2025-11953, has a CVSS score of 9.8, marking it as critical. It allows unauthenticated remote attackers to execute arbitrary operating system commands by exploiting the Metro development server’s default binding to external interfaces, particularly through an unprotected "/open-url" endpoint. The issue affects versions 4.8.0 to 20.0.0-alpha.2, but has been patched in version 20.0.0 released last month. The flaw arises from how the Metro server processes POST requests with user-input values, which are then passed to an unsafe open() function from the open NPM package. In practical terms, attackers could craft a specific POST request that triggers command execution on the server. On Windows, they can run arbitrary shell commands; on Linux and macOS, the control is limited to executing specific binaries. Developers using React Native without the Metro server are unaffected. JFrog's Senior Security Researcher, Or Peles, highlighted the ease of exploitation and the lack of authentication, raising alarms about the risks associated with third-party code in software supply chains. This incident emphasizes the importance of automated security scanning to catch such vulnerabilities before they can be exploited in the wild.