CVE-2025-11953
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
4.8.0 < 20.0.0 | affected |
Weaknesses
- CWE-78: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: yes
- Technical Impact: total
Additional References
- https://www.vulncheck.com/blog/metro4shell_eitw
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953
CVE Program Container
Additional References
- https://x.com/SzymonRybczak/status/1986199665000566848
- https://x.com/thymikee/status/1986770875954475375
References
- https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability
- https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.