React Native is using an old, insecure version of Folly.

The current version of Folly in master is 2018.10.22.00. This version has a "critical" security vulnerability CVE-2019-11934 related to SSL sockets.

The latest version of Folly at the moment is 2019.12.30.00, where the above vulnerability has already been fixed, here.

Could you please update Folly to a newer, patched version?

React Native version:

react-native: 0.61.5

Steps To Reproduce

1. Run react-native init new_project
2. Open new_project/node_modules/react-native/third-party-podspecs/Folly.podspec in a text editor
3. Observe how spec.version is 2018.10.22.00

As a consequence, spec.source tells CocoaPods to pull Folly from tag v2018.10.22.00 which contains an unpatched version of Folly without the fix to CVE-2019-11934.

Some additional info:

I noticed this when running dependency-check-cli against a React Native project.