CVE-2025-11953

9.8 CRITICAL

Published: November 03, 2025 Modified: November 11, 2025

Description

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547

Source: reefs@jfrog.com

https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability

Source: reefs@jfrog.com

https://x.com/SzymonRybczak/status/1986199665000566848

Source: af854a3a-2127-422b-91ae-364da2661108

https://x.com/thymikee/status/1986770875954475375

Source: af854a3a-2127-422b-91ae-364da2661108

4 reference(s) from NVD

Quick Stats

CVSS v3 Score

9.8 / 10.0

EPSS (Exploit Probability)

0.5%

65th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-78

Related CVEs

CVE-2025-52691 10.0

CVE-2025-15168 7.3

CVE-2025-15167 7.3

CVE-2025-15166 7.3

CVE-2025-15165 7.3