@W-20151632: MSDK Android Security Bug: CVE-2025-11953 - React Native Community CLI (RCE) #2800
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… Community CLI (RCE)
libs/SalesforceReact/package.json
Outdated
| "react-native": "0.79.3", | ||
| "react": "19.1.1", | ||
| "react-native": "0.82.1", | ||
| "@react-native/new-app-screen": "0.82.1", |
Contributor
Author
There was a problem hiding this comment.
@wmathurin - Since this is a library module, think we should try to avoid adding the two new dependencies here? The upgrade helper is only available for apps - not libraries. All the other files in the upgrade helper with obvious app-level changes are already absent from our library with this one exception.
Contributor
There was a problem hiding this comment.
I think we only need them in apps.
Also shouldn't you upgrade react-native-force (i.e. SalesforceMobileSDK-ReactNative) first?
brandonpage
approved these changes
Nov 6, 2025
Comment on lines
-40
to
+42
| "node": ">=18" | ||
| "node": ">=20" |
Contributor
There was a problem hiding this comment.
We need to update the versions spreadsheet so this new min version gets added to release notes.
… Community CLI (RCE) (Gradle and Android Gradle Plug In Updates)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| implementation("androidx.appcompat:appcompat:1.7.1") | ||
| implementation("androidx.biometric:biometric:1.2.0-alpha05") | ||
| implementation("androidx.lifecycle:lifecycle-extensions:2.2.0") | ||
| implementation("androidx.core:core-ktx:1.16.0") // Update requires API 36 compileSdk |
There was a problem hiding this comment.
| A newer version of androidx.core:core-ktx than 1.16.0 is available: 1.17.0 |
| implementation("androidx.biometric:biometric:1.2.0-alpha05") | ||
| implementation("androidx.lifecycle:lifecycle-extensions:2.2.0") | ||
| implementation("androidx.core:core-ktx:1.16.0") // Update requires API 36 compileSdk | ||
| implementation("androidx.activity:activity-ktx:$androidXActivityVersion") |
There was a problem hiding this comment.
| A newer version of androidx.activity:activity-ktx than 1.10.1 is available: 1.11.0 |
| implementation("androidx.lifecycle:lifecycle-extensions:2.2.0") | ||
| implementation("androidx.core:core-ktx:1.16.0") // Update requires API 36 compileSdk | ||
| implementation("androidx.activity:activity-ktx:$androidXActivityVersion") | ||
| implementation("androidx.activity:activity-compose:$androidXActivityVersion") |
There was a problem hiding this comment.
| A newer version of androidx.activity:activity-compose than 1.10.1 is available: 1.11.0 |
| implementation("androidx.lifecycle:lifecycle-viewmodel-compose:$livecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-savedstate:$livecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-service:$livecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-ktx:$lifecycleVersion") |
There was a problem hiding this comment.
| A newer version of androidx.lifecycle:lifecycle-viewmodel-ktx than 2.8.7 is available: 2.9.4 |
| implementation("androidx.lifecycle:lifecycle-viewmodel-savedstate:$livecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-service:$livecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-ktx:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-compose:$lifecycleVersion") |
There was a problem hiding this comment.
| A newer version of androidx.lifecycle:lifecycle-viewmodel-compose than 2.8.7 is available: 2.9.4 |
| implementation("androidx.lifecycle:lifecycle-service:$livecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-ktx:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-compose:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-savedstate:$lifecycleVersion") |
There was a problem hiding this comment.
| A newer version of androidx.lifecycle:lifecycle-viewmodel-savedstate than 2.8.7 is available: 2.9.4 |
| implementation("androidx.lifecycle:lifecycle-viewmodel-ktx:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-compose:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-savedstate:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-service:$lifecycleVersion") |
There was a problem hiding this comment.
| A newer version of androidx.lifecycle:lifecycle-service than 2.8.7 is available: 2.9.4 |
| implementation("androidx.lifecycle:lifecycle-viewmodel-compose:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-viewmodel-savedstate:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-service:$lifecycleVersion") | ||
| implementation("org.jetbrains.kotlinx:kotlinx-serialization-json:1.6.3") // Update requires Kotlin 2. |
There was a problem hiding this comment.
| A newer version of org.jetbrains.kotlinx:kotlinx-serialization-json than 1.6.3 is available: 1.9.0 |
| implementation("androidx.lifecycle:lifecycle-viewmodel-savedstate:$lifecycleVersion") | ||
| implementation("androidx.lifecycle:lifecycle-service:$lifecycleVersion") | ||
| implementation("org.jetbrains.kotlinx:kotlinx-serialization-json:1.6.3") // Update requires Kotlin 2. | ||
| implementation("androidx.window:window:1.4.0") |
There was a problem hiding this comment.
| A newer version of androidx.window:window than 1.4.0 is available: 1.5.0 |
Generated by 🚫 Danger |
| implementation("androidx.lifecycle:lifecycle-service:$lifecycleVersion") | ||
| implementation("org.jetbrains.kotlinx:kotlinx-serialization-json:1.6.3") // Update requires Kotlin 2. | ||
| implementation("androidx.window:window:1.4.0") | ||
| implementation("androidx.window:window-core:1.4.0") |
There was a problem hiding this comment.
| A newer version of androidx.window:window-core than 1.4.0 is available: 1.5.0 |
Generated by 🚫 Danger |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## dev #2800 +/- ##
============================================
+ Coverage 56.16% 56.41% +0.25%
- Complexity 2490 2507 +17
============================================
Files 211 211
Lines 16928 16919 -9
Branches 2376 2369 -7
============================================
+ Hits 9507 9545 +38
+ Misses 6377 6329 -48
- Partials 1044 1045 +1
🚀 New features to boost your workflow:
|
| - uses: gradle/actions/setup-gradle@v4 | ||
| with: | ||
| gradle-version: "8.10.1" | ||
| gradle-version: "8.12.0" |
Contributor
Author
There was a problem hiding this comment.
Since this was reviewed on Friday, Gradle and AGP have been updated.
Contributor
There was a problem hiding this comment.
For future reference, this is the Gradle version not the AGP version. There is no version 8.12.0 so this is causing build failures.
| testNamespace = "com.salesforce.androidsdk.reactnative.tests" | ||
|
|
||
| //noinspection GradleDependency - Will be upgraded to 36 in Mobile SDK 14.0 | ||
| //noinspection GradleDependency - Will be upgraded to 36 in Mobile SDK 14.0. Also, React Native 0.82.1 requests 36. |
Contributor
Author
There was a problem hiding this comment.
I added this note since we're temporarily diverging from the React Native Upgrade Assistant on this one.
… Community CLI (RCE) (Remove App Level React Native Dependencies)
| dependencies { | ||
| val composeVersion = "1.8.2" // Update requires Kotlin 2. | ||
| val livecycleVersion = "2.8.7" // Update requires Kotlin 2. | ||
| val lifecycleVersion = "2.8.7" // Update requires Kotlin 2. |
Contributor
Author
There was a problem hiding this comment.
I believe this little typo was mine years ago, so I added it here as an unrelated fix.
… Community CLI (RCE) (Revert To React Native 0.81.5)
wmathurin
reviewed
Nov 13, 2025
libs/SalesforceReact/package.json
Outdated
| "react-native-force": "git+https://github.com/forcedotcom/SalesforceMobileSDK-ReactNative.git#dev" | ||
| "react": "19.1.0", | ||
| "react-native": "0.81.5", | ||
| "react-native-force": "git+https://github.com/JohnsonEricAtSalesforce/SalesforceMobileSDK-ReactNative.git#bugfix/w-20151632_msdk-android-security-bug-cve-2025-11953-react-native-community-cli-rce" |
Contributor
There was a problem hiding this comment.
Don't forget to revert that :-)
wmathurin
approved these changes
Nov 13, 2025
… Community CLI (RCE) (Self Review Cleanup)
… Community CLI (RCE) (Gradle Wrapper Update)
JohnsonEricAtSalesforce
merged commit ae66239
into
forcedotcom:dev
19 of 21 checks passed
JohnsonEricAtSalesforce
deleted the
bugfix/w-20151632_msdk-android-security-bug-cve-2025-11953-react-native-community-cli-rce
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🎸 Ready For Review 🥁
This updates the SalesforceReact library for Android to React Native 0.82.1 according to the official React Native Upgrade Helper. Note: This won't be merged until it's tested with corresponding changes to the template apps.