What developers must do now?: Developers using @react-native-community/cli (or the bundled cli-server-api) in their React Native projects should check for the vulnerable package version on the npm list. The vulnerability is fixed in version 20.0.0 of cli-server-api, so immediate updating is recommended.The stakes include an attacker remotely executing commands on the victim’s development machine, potentially leading to broader network access, code corruption or injecting malicious payloads into an app build. If updating isn’t feasible right away, JFrog advised restricting the dev server to localhost by explicitly passing the “host 127.0.0.1″ flag to reduce exposure.”It’s a reminder that secure coding practices and automated security scanning are essential for preventing these easily exploitable flaws before they make it to production,” the researchers said, recommending JFrog SAST for identifying issues early in the development process.The React Native CLI flaw mirrors a broader trend of attackers slipping into developer ecosystems, from npm packages with hidden payloads to rogue “verified” IDE extensions, turning trusted build tools into stealthy points of entry.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4085797/rce-in-react-native-cli-opens-dev-servers-to-attacks.html
