OS Command Injection Vulnerability in Metro Development Server by React Native
CVE-2025-11953

9.8CRITICAL

Key Information:

Status
Vendor
CVE Published:
3 November 2025

What is CVE-2025-11953?

The Metro Development Server associated with the React Native CLI is susceptible to an OS command injection vulnerability due to its default configuration of binding to external interfaces. This misconfiguration allows unauthenticated attackers to send crafted POST requests to the server, leading to the execution of arbitrary commands or scripts. Particularly on Windows systems, attackers can leverage this vulnerability to execute shell commands with user-defined parameters, posing a significant risk to the integrity and security of affected systems.

References

https://jfrog.com/blog/cve-2025-11953-critical-react-nati...
technical-description
https://github.com/react-native-community/cli/commit/1508...
patch

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-11953 : OS Command Injection Vulnerability in Metro Development Server by React Native