OS Command Injection Vulnerability in Metro Development Server by React Native
CVE-2025-11953
Key Information:
Badges
What is CVE-2025-11953?
CVE-2025-11953 is a significant security vulnerability found in the Metro Development Server utilized by the React Native Community Command Line Interface (CLI), which is a development environment for building mobile applications. This vulnerability arises from an OS command injection flaw that allows attackers to exploit the server by sending malicious POST requests. By doing so, they can execute arbitrary commands on the host system, jeopardizing the integrity and security of any organization utilizing this development server. The default configuration of the Metro Development Server, which binds to external interfaces, exacerbates the risk, as it makes the server accessible to unauthenticated external users. Given its ability to run commands with fully controlled arguments, an attacker could manipulate various system functions, leading to severe repercussions.
Potential impact of CVE-2025-11953
-
Unauthorized Command Execution: The vulnerability allows attackers to execute arbitrary system commands, potentially leading to full control over the server. This could enable malicious activities such as data exfiltration, service disruption, or even the installation of malware.
-
Data Breach Risk: Since attackers can manipulate system commands, there is a heightened risk of sensitive data exposure. This could result in significant financial and reputational damage to organizations relying on the compromised server.
-
Widespread Exploitation Potential: Given the default configuration of the Metro Development Server exposing it to external interfaces, the likelihood of this vulnerability being targeted by malicious actors increases. The existence of publicly accessible instances heightens the risk of exploitation, potentially leading to a widespread impact on multiple organizations.
CISA has reported CVE-2025-11953
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-11953 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
The Hacker NewsCVE-2025-11953Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package
Active attacks exploit Metro4Shell (CVE-2025-11953) in React Native CLI to execute commands and deploy Rust malware.
4 days ago
Hackers exploit critical React Native Metro bug to breach dev systems
Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.
4 days ago
Hackers exploit critical React Native Metro bug to breach dev systems
Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.
4 days ago
References
EPSS Score
15% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
- 🟡
Public PoC available
- 👾
Exploit known to exist
- 📰
First article discovered by SecurityWeek
Vulnerability published
Vulnerability Reserved