React Native Community CLI Metro Development Server OS Command Injection Vulnerability

A command injection vulnerability has been identified in the Metro Development Server, which is launched by the React Native Community CLI. By default, the server binds to external interfaces and exposes an endpoint vulnerable to operating system command injection. This flaw allows unauthenticated network attackers to send POST requests that execute arbitrary files. On Windows systems, the vulnerability also permits the execution of shell commands with fully controlled arguments.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the server's operating system. On Windows, this includes executing shell commands with user-defined arguments.

Remediation

Users are advised to update to React Native Community CLI version 20.0.2, which includes a patch for this vulnerability. Instructions for updating can be found in the JFrog Blog post detailing this vulnerability.