CVE-2025-11953

Warnung

Exploit

EPSS 3.36%
Veröffentlicht 03.11.2025 16:35:07
Zuletzt bearbeitet 06.02.2026 19:43:47
Quelle reefs@jfrog.com
CVE-Watchlists
Login
Unerledigt
Login

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 9

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

React-native-community ≫ React Native Community Cli Version >= 19.0.0 < 19.1.2

React-native-community ≫ React Native Community Cli Version18.0.0

React-native-community ≫ React Native Community Cli Version20.0.0 Updatealpha0

React-native-community ≫ React Native Community Cli Version20.0.0 Updatealpha1

React-native-community ≫ React Native Community Cli Version20.0.0 Updatealpha2

05.02.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

React Native Community CLI OS Command Injection Vulnerability

Schwachstelle

React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.36%	0.871

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
reefs@jfrog.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability

Third Party Advisory

Exploit

Mitigation

https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547

Patch

https://x.com/SzymonRybczak/status/1986199665000566848

Third Party Advisory

https://x.com/thymikee/status/1986770875954475375

Third Party Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953

US Government Resource