Skip to content

fix: Add stricter URL validation to openURLMiddleware #2697

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 4, 2025
Merged

fix: Add stricter URL validation to openURLMiddleware #2697

merged 1 commit into from
Aug 4, 2025

Conversation

@huntie
Copy link
Collaborator

@huntie huntie commented Jul 30, 2025
edited
Loading

Summary

References

Test Plan

Invalid URL

image

✅ Blocked

Sanity check — regular URL

image

✅ OK
✅ Opens web browser

Checklist

  • Documentation is up to date.
  • Follows commit message convention described in CONTRIBUTING.md.
  • For functional changes, my test plan has linked these CLI changes into a local react-native checkout (instructions).
@thymikee
Copy link
Member

thymikee commented Jul 30, 2025

Thanks! Feel free to merge
@huntie huntie force-pushed the security-open-url-validation branch from 484e42a to d003eab Compare August 4, 2025 10:00
@huntie
Copy link
Collaborator Author

huntie commented Aug 4, 2025

d003eab: Remove {appName: 'browser'} argument — led to a no-op in local testing on a macOS system.
@huntie huntie merged commit 1508990 into react-native-community:main Aug 4, 2025
4 of 8 checks passed
@huntie huntie deleted the security-open-url-validation branch August 4, 2025 10:01
szymonrybczak pushed a commit that referenced this pull request Nov 5, 2025
@huntie @szymonrybczak
fix: Add stricter URL validation to openURLMiddleware (#2697)
5a79216
szymonrybczak pushed a commit that referenced this pull request Nov 5, 2025
@huntie @szymonrybczak
fix: Add stricter URL validation to openURLMiddleware (#2697)
a8293dc
szymonrybczak pushed a commit that referenced this pull request Nov 5, 2025
@huntie @szymonrybczak
fix: Add stricter URL validation to openURLMiddleware (#2697)
9e1fa8c
@benomatis
Copy link

benomatis commented Nov 7, 2025

@huntie @szymonrybczak can we have a fix for this in v15 as well please? I would appreciate that a lot!
@szymonrybczak
Copy link
Collaborator

szymonrybczak commented Nov 7, 2025

@benomatis 15.x wasn't affected by this security vulnerability, since it has already URL validation
@benomatis
Copy link

benomatis commented Nov 7, 2025
edited
Loading

@szymonrybczak the CVE communication I read about this (maybe I use wrong sources) says this:

The vulnerability directly affects the @react-native-community/cli-server-api package, versions 4.8.0 to 20.0.0-alpha.2

so is this an incorrect statement? what would be a reliable source of information on the CVE?

My source: https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/

This originally reached me via a GitHub dependabot alert: GHSA-399j-vxmf-hjvr
@szymonrybczak
Copy link
Collaborator

szymonrybczak commented Nov 7, 2025

Take a look at my response:

https://x.com/szymonrybczak/status/1986199665000566848?s=46

the "official" is a bit wrong
@tommasini
Copy link

tommasini commented Nov 7, 2025

@szymonrybczak This issue was created, I think many people will cross it
#2733

Can you go there and explain your thoughts! It would be awesome understanding why this was flagged now and is wrong
@szymonrybczak
Copy link
Collaborator

szymonrybczak commented Nov 7, 2025

@tommasini good point, thank you for suggesting it! I'll report our findings there too 👍
@benomatis
Copy link

benomatis commented Nov 7, 2025

@szymonrybczak how can this reach GitHub so that dependabot doesn't report it and create panic?
@szymonrybczak szymonrybczak mentioned this pull request Nov 7, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

5 participants

@huntie @thymikee @benomatis @szymonrybczak @tommasini