← Back

CVE-2025-11953

nvd nist
Published: Nov 3, 2025Modified: Feb 6, 2026CISA KEV

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: reefs@jfrog.com (Secondary)

Description

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Affected (5)

React Native Community
1 product
React Native Community Cli
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
React Native Community Cli
From 19.0.0 to 19.1.2
React Native Community Cli
Version 18.0.0
React Native Community Cli
Version 20.0.0 alpha0
React Native Community Cli
Version 20.0.0 alpha1
React Native Community Cli
Version 20.0.0 alpha2

Related CWEs

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (6)

Source: reefs@jfrog.com
Patch
Source: reefs@jfrog.com
ExploitMitigationThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
US Government Resource
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitThird Party Advisory

Timeline

No history available yet.