CVE-2025-11953
OS Command Injection vulnerability in cli (npm)

OS Command Injection Proof of concept

What is CVE-2025-11953 About?

This vulnerability is an OS command injection flaw in the Metro Development Server used by React Native CLI, which binds to external interfaces by default. Its impact is severe, allowing unauthenticated network attackers to execute arbitrary commands on the host system, including shell commands on Windows. Exploitation is simple and requires only an unauthenticated network POST request.

Affected Software

  • @react-native-community/cli
    • >19.0.0-alpha.0, <19.1.2
    • >20.0.0-alpha.0, <20.0.0
    • <17.0.1
    • >18.0.0, <18.0.1

Technical Details

The Metro Development Server, an integral component launched by the React Native CLI, is configured by default to bind to external network interfaces. This configuration exposes an endpoint that is susceptible to OS command injection. An unauthenticated network attacker can leverage this vulnerability by sending a specially crafted POST request to the exposed server endpoint. This request contains malicious data that, when processed by the server, is inadvertently interpreted and executed as an operating system command. On Windows systems, this command injection also permits the execution of arbitrary shell commands with full control over their arguments, significantly escalating the potential impact to include broad system control by unauthenticated remote attackers.

What is the Impact of CVE-2025-11953?

Successful exploitation may allow attackers to execute arbitrary operating system commands, leading to full system compromise, data theft, or denial of service.

What is the Exploitability of CVE-2025-11953?

Exploitation of this vulnerability is relatively low in complexity. The primary prerequisite is that the Metro Development Server must be running and exposed on an external network interface, which is its default configuration. No authentication is required, meaning an unauthenticated remote attacker can exploit this flaw. No special privileges are needed on the attacker's side; they only need network access to the server. The attack is remote, involving sending a POST request over the network. There are no specific unusual conditions or constraints beyond the default operational state of the server. Risk factors that increase exploitation likelihood include publicly accessible development environments, lack of firewall rules to restrict access to the development server, and developers using default configurations without awareness of the security implications of binding to external interfaces.

What are the Known Public Exploits?

PoC Author Link Commentary
SaidBenaissa Link CVE-2025-11953 demonstration: Critical RCE vulnerability in React Native CLI (CVSS 9.8). Educational security research with proof-of-concept exploits and mitigation strategies.
B1ack4sh Link CVE-2025-11953

What are the Available Fixes for CVE-2025-11953?

Available Upgrade Options

  • @react-native-community/cli
    • <17.0.1 → Upgrade to 17.0.1
  • @react-native-community/cli
    • >18.0.0, <18.0.1 → Upgrade to 18.0.1
  • @react-native-community/cli
    • >19.0.0-alpha.0, <19.1.2 → Upgrade to 19.1.2
  • @react-native-community/cli
    • >20.0.0-alpha.0, <20.0.0 → Upgrade to 20.0.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-11953?

Similar Vulnerabilities: CVE-2023-49070 , CVE-2022-22965 , CVE-2021-44228 , CVE-2020-13936 , CVE-2019-10172

All Rights reserved 2025
Privacy Policy