Summary: CISA has added CVE-2025-11953, an OS Command Injection vulnerability in the React Native Community CLI, to its Known Exploited Vulnerabilities (KEV) catalog. Attackers are actively using this flaw to compromise developer environments during the build process of mobile applications.
Business Impact: High Supply Chain Risk. A compromise of a developer’s workstation via the CLI can lead to the injection of malicious code into your production mobile apps. This effectively weaponizes your own development pipeline against your customers.
Why It Happened: Inadequate input validation within the CLI’s command processing engine allowed for the execution of arbitrary shell commands when processing specially crafted project configurations.
Recommended Executive Action: Mandate an immediate update of the `@react-native-community/cli` to the latest version across all development teams. Conduct a sweep of build servers for any unauthorized shell activity or anomalous network connections.
Hashtags: #CISA #KEV #ReactNative #AppSec #SupplyChain #CommandInjection #PatchNow