← back
CVE-2025-11953

Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests

CVSS 9.8 CRITICALEPSS 61.9%● KEVCWE-78
In short

The React Native Community CLI opens a development server that accepts commands from anyone on the network without checking who they are. An attacker can send a specially crafted request to run any program on the developer's computer, potentially stealing data or installing malware.

Technical detail

The Metro Development Server binds to external interfaces by default and exposes an endpoint vulnerable to OS command injection (CWE-78). Unauthenticated network attackers can send POST requests to execute arbitrary executables; on Windows, this extends to arbitrary shell commands with full argument control. The attack requires network access to the development server but no authentication.

Summary generated and translated by AI from the official description.
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
@react-native-community/cli-server-api
public PoCs found4
githubgithub.com/SaidBenaissa/cve-2025-11953-vulnerability-demo4githubgithub.com/GhoStZA-debug/PoC-CVE-collection1githubgithub.com/Mr-In4inci3le/CVE-2025-11953-POC-0githubgithub.com/ibreakthingsforaliving/CVE-2025-11953-PoC0
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerabilityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953https://www.vulncheck.com/blog/metro4shell_eitwhttps://x.com/SzymonRybczak/status/1986199665000566848https://x.com/thymikee/status/1986770875954475375