Millions of developers could be open to attack after critical flaw exploited - here's what we know

A critical vulnerability (CVE-2025-11953) in the widely-used React Native CLI package exposes millions of developers to potential cyberattacks through command injection flaws. The security flaw, affecting versions 4.8.0 through 20.0.0-alpha.2 of the "@react-native-community/cli" package that receives two million weekly downloads, allows attackers to execute malicious commands without authentication. The vulnerability has been patched in version 20.0.0, with no confirmed exploitation reported yet.