Skip to content

fix: Add stricter URL validation to openURLMiddleware#2697

Merged
huntie merged 1 commit into
react-native-community:mainfrom
huntie:security-open-url-validation
Aug 4, 2025
Merged

fix: Add stricter URL validation to openURLMiddleware#2697
huntie merged 1 commit into
react-native-community:mainfrom
huntie:security-open-url-validation

Conversation

@huntie

@huntie huntie commented Jul 30, 2025

Copy link
Copy Markdown
Collaborator

Summary

References

Test Plan

Invalid URL

image

✅ Blocked

Sanity check — regular URL

image

✅ OK
✅ Opens web browser

Checklist

  • Documentation is up to date.
  • Follows commit message convention described in CONTRIBUTING.md.
  • For functional changes, my test plan has linked these CLI changes into a local react-native checkout (instructions).
@thymikee

Copy link
Copy Markdown
Member

Thanks! Feel free to merge

@huntie huntie force-pushed the security-open-url-validation branch from 484e42a to d003eab Compare August 4, 2025 10:00
@huntie

huntie commented Aug 4, 2025

Copy link
Copy Markdown
Collaborator Author

d003eab: Remove {appName: 'browser'} argument — led to a no-op in local testing on a macOS system.

@huntie huntie merged commit 1508990 into react-native-community:main Aug 4, 2025
4 of 8 checks passed
@huntie huntie deleted the security-open-url-validation branch August 4, 2025 10:01
@benomatis

Copy link
Copy Markdown

@huntie @szymonrybczak can we have a fix for this in v15 as well please? I would appreciate that a lot!

@szymonrybczak

Copy link
Copy Markdown
Collaborator

@benomatis 15.x wasn't affected by this security vulnerability, since it has already URL validation

@benomatis

benomatis commented Nov 7, 2025

Copy link
Copy Markdown

@szymonrybczak the CVE communication I read about this (maybe I use wrong sources) says this:

The vulnerability directly affects the @react-native-community/cli-server-api package, versions 4.8.0 to 20.0.0-alpha.2

so is this an incorrect statement? what would be a reliable source of information on the CVE?

My source: https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/

This originally reached me via a GitHub dependabot alert: GHSA-399j-vxmf-hjvr

@szymonrybczak

Copy link
Copy Markdown
Collaborator

Take a look at my response:

https://x.com/szymonrybczak/status/1986199665000566848?s=46

the "official" is a bit wrong

@tommasini

Copy link
Copy Markdown

@szymonrybczak This issue was created, I think many people will cross it
#2733

Can you go there and explain your thoughts! It would be awesome understanding why this was flagged now and is wrong

@szymonrybczak

Copy link
Copy Markdown
Collaborator

@tommasini good point, thank you for suggesting it! I'll report our findings there too 👍

@benomatis

Copy link
Copy Markdown

@szymonrybczak how can this reach GitHub so that dependabot doesn't report it and create panic?

leotm added a commit to leotm/react-native-template-new-architecture that referenced this pull request Jun 30, 2026
- revert d1b5e9c patch fix
- bump @react-native-community/cli
- bump @react-native-community/cli-platform-android
- bump @react-native-community/cli-platform-ios

Resolve: #1994

Supersedes
- #1980
- #2012
- #2013

Ref
- react-native-community/template#231
  - react-native-community/template#232
  - react/react-native#57344

Includes URL sanitisation fix (v20.1.1 regression)
- react-native-community/cli#2814
- react-native-community/cli#2812
- react-native-community/cli#2758
- react-native-community/cli#2735
- react-native-community/cli#2697
leotm added a commit to leotm/react-native-template-new-architecture that referenced this pull request Jun 30, 2026
- revert d1b5e9c patch fix
- bump @react-native-community/cli
- bump @react-native-community/cli-platform-android
- bump @react-native-community/cli-platform-ios

Resolve: #1994

Supersedes
- #1980
- #2012
- #2013

Ref
- react-native-community/template#231
  - react-native-community/template#232
  - react/react-native#57344

Includes URL sanitisation fix (v20.1.1 regression)
- react-native-community/cli#2814
- react-native-community/cli#2812
- react-native-community/cli#2758
- react-native-community/cli#2735
- react-native-community/cli#2697
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

5 participants