Request to Backport Security Patch from v18.x to v15.x (Metro Dev Server RCE – SA20251106-01)

[kyoungnowcom]

Hi maintainers 👋,

We are currently using @react-native-community/cli v15.0.1 via our React Native toolchain, and we are tracking the recent security advisory regarding the Metro dev server RCE vulnerability (SA20251106-01 / CVE pending publication).

We noticed that the fix has been committed and released in CLI v18.x — specifically commit a8293dc29425f56249753507bc24d87b698d46e1 which adds stricter URL validation to openURLMiddleware. Thank you for addressing this promptly.


However, we are using React Native 0.76.3, which currently aligns with the CLI 15.x release line. Upgrading React Native and moving to CLI 18.x+ is a significant effort requiring regression testing and release scheduling, so we cannot complete that upgrade immediately.

Request

Would it be possible to backport the security patch from v18.x (commit a8293dc…) to the v15.x branch?

Several production apps are in the same situation where React Native versions in the 0.70–0.76 range rely on CLI 14–16. A backport would allow these teams to mitigate the vulnerability without forcing an app-wide RN upgrade ahead of schedule.

Current Environment

React Native 0.76.3
@react-native-community/cli 15.0.1
Platforms iOS + Android

Temporary Mitigation in Place

We have already applied compensating controls by binding the Metro dev server to localhost only:

npx react-native start --host 127.0.0.1
adb reverse tcp:8081 tcp:8081
# iOS simulator already uses localhost; USB tunnel is used for devices.

While this significantly reduces the exposure surface, we would prefer to apply an officially patched release for CLI 15.x.

We can help

We are happy to:
• test the patched branch across both platforms,
• verify behavior in RN 0.76.x environments,
• provide logs or reproduce steps if required.

Thank you again for your work maintaining the CLI — it’s deeply appreciated by the React Native community 🙏
Please let us know if a backport PR or test validation would be helpful.

[jotahws]

Totally agree. Limiting the fix to CLI v17+ effectively leaves all React Native versions below 0.78 vulnerable

[szymonrybczak]

Hey! React Native CLI maintainer here, actually some parts of this CVE are incorrect, they didn't contact us before publishing the CVE.

Actually the issue only existed in two versions of CLI (v19, v18), so React Native v0.80 and v0.81.

Important

Starting from CLI v9 (~3 years ago), so from React Native v0.70 URL validation was included to prevent using different protocol than http/https, so users between v0.70 and v0.80 (majority of CLI users) are not affected. Here's the PR which added initial validation.

The check was removed during a refactor which we didn't spot when reviewing this PR.

We released v20.0.2 in September with the fix for the vulnerability. I've just cherry-picked and released 2 patch versions for other affected

v19.1.2 for RN v0.81

v18.0.1 for RN v0.80

Please use relevant CLI version for each React Native major version. Updating to latest 20.x version is not supported when your project is using older React Native, it might work but wasn't tested and is not recommended. Learn more here.

[thymikee]

I'll reiterate that we've back ported the fix to all affected versions. And add that the CVE is too eager with its recommendations and sadly we weren't consulted on that.

[benomatis]

How can the CVE be corrected to avoid further panic, especially among those who have dependabot active, which is complaining about versions lower than 17?