CVE-2025-11953
Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests
Description
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
INFO
Published Date :
Nov. 3, 2025, 5:15 p.m.
Last Modified :
Nov. 4, 2025, 3:41 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2025-11953
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | 48a46f29-ae42-4e1d-90dd-c1676c1e5e6d | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Configure the server to bind only to localhost.
- Update the React Native CLI to the latest version.
- Restrict network access to the development server.
- Disable the development server when not in use.
Public PoC/Exploit Available at Github
CVE-2025-11953 has a 5 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-11953.
| URL | Resource |
|---|---|
| https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547 | |
| https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-11953 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-11953
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
CVE-2025-11953
CVE-2025-11953 demonstration: Critical RCE vulnerability in React Native CLI (CVSS 9.8). Educational security research with proof-of-concept exploits and mitigation strategies.
Shell PowerShell JavaScript
CVE POC repo 자동 수집기
Python
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
爬取secwiki和xuanwu.github.io/sec.today,分析安全信息站点、安全趋势、提取安全工作者账号(twitter,weixin,github等)
Python HTML
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-11953 vulnerability anywhere in the article.
-
hackread.com
Severe React Native Flaw Exposes Developer Systems to Remote Attacks
Security researchers at JFrog, a company specialising in software supply chain protection, recently found a severe security problem in a key part of the React Native mobile app development framework. ... Read more
-
Daily CyberSecurity
Critical React Native CLI Flaw (CVE-2025-11953, CVSS 9.8) Allows Unauthenticated RCE via Exposed Metro Server
A newly disclosed critical vulnerability (CVE-2025-11953, CVSS 9.8) in the React Native Community CLI exposes developers to remote code execution (RCE) attacks via the Metro development server, which ... Read more
-
Daily CyberSecurity
Critical WooCommerce Plugin Flaw (CVE-2025-12493, CVSS 9.8) Allows Unauthenticated RCE, 100,000+ Sites Affect
A critical-severity Local File Inclusion (LFI) flaw in the popular WordPress plugin ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) al ... Read more
-
CybersecurityNews
Critical RCE Vulnerability in Popular React Native NPM Package Exposes Developers to Attacks
A critical remote code execution (RCE) vulnerability tracked as CVE-2025-11953 in the @react-native-community/cli NPM package. With nearly 2 million weekly downloads, this package powers the command-l ... Read more
-
The Hacker News
Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks
Nov 04, 2025Ravie LakshmananVulnerability / Supply Chain Security Details have emerged about a now-patched critical security flaw in the popular "@react-native-community/cli" npm package that could ... Read more
The following table lists the changes that have been made to the
CVE-2025-11953 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Nov. 03, 2025
Action Type Old Value New Value Changed Description The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments. The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments. -
New CVE Received by [email protected]
Nov. 03, 2025
Action Type Old Value New Value Added Description The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-78 Added Reference https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547 Added Reference https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability