OS Command Injection Vulnerability in Metro Development Server by React Native
CVE-2025-11953

9.8CRITICAL

Key Information:

Status
Vendor
CVE Published:
3 November 2025

Badges

πŸ₯‡ Trended No. 1πŸ“ˆ TrendedπŸ“ˆ Score: 5,070πŸ‘Ύ Exploit Exists🟑 Public PoCπŸ“° News Worthy

What is CVE-2025-11953?

CVE-2025-11953 is a significant security vulnerability found in the Metro Development Server utilized by the React Native Community Command Line Interface (CLI), which is a development environment for building mobile applications. This vulnerability arises from an OS command injection flaw that allows attackers to exploit the server by sending malicious POST requests. By doing so, they can execute arbitrary commands on the host system, jeopardizing the integrity and security of any organization utilizing this development server. The default configuration of the Metro Development Server, which binds to external interfaces, exacerbates the risk, as it makes the server accessible to unauthenticated external users. Given its ability to run commands with fully controlled arguments, an attacker could manipulate various system functions, leading to severe repercussions.

Potential impact of CVE-2025-11953

  1. Unauthorized Command Execution: The vulnerability allows attackers to execute arbitrary system commands, potentially leading to full control over the server. This could enable malicious activities such as data exfiltration, service disruption, or even the installation of malware.

  2. Data Breach Risk: Since attackers can manipulate system commands, there is a heightened risk of sensitive data exposure. This could result in significant financial and reputational damage to organizations relying on the compromised server.

  3. Widespread Exploitation Potential: Given the default configuration of the Metro Development Server exposing it to external interfaces, the likelihood of this vulnerability being targeted by malicious actors increases. The existence of publicly accessible instances heightens the risk of exploitation, potentially leading to a widespread impact on multiple organizations.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2025-11953-vulnerability-demo
Created by SaidBenaissa

PoC-CVE-collection
Created by N3k0t-dev

News Articles

favicon imageTecherati

Critical React Native CLI Vulnerability Exposes Developers

JFrog discloses a Critical React Native CLI vulnerability, CVE-2025-11953, enabling remote code execution and affecting developer security.

favicon imageSQMagazine

Critical React Native CLI Flaw Puts Millions of Developers at Risk

Critical RCE flaw in React Native CLI tool affects millions. CVE-2025-11953 allows unauthenticated remote command execution. Patch now.

favicon imageGBHackers News

Critical RCE Bug in Leading React Native NPM Module Could Allow Full System Compromise

CVE-2025-11953, a critical RCE flaw affecting the @react-native-community/cli NPM package, receives two million weekly downloads.

References

https://jfrog.com/blog/cve-2025-11953-critical-react-nati...
technical-description
https://github.com/react-native-community/cli/commit/1508...
patch

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ₯‡

    Vulnerability reached the number 1 worldwide trending spot

  • πŸ“ˆ

    Vulnerability started trending

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by SecurityWeek

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-11953 : OS Command Injection Vulnerability in Metro Development Server by React Native