Home > Vulnerability Database > CVE-2025-11953

Mend.io Vulnerability Database

CVE-2025-11953

Good to know:

Date: November 3, 2025

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Severity Score

9.8

Related Resources (15)

Url: https://github.com/react-native-community/cli?tab=readme-ov-file#compatibility

Url: https://github.com/react-native-community/cli

Url: https://x.com/thymikee/status/1986770875954475375

Url: https://github.com/react-native-community/cli/commit/9e1fa8cc633e5dcf32244ffa60a871880be56722

Url: https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547

Url: https://github.com/react-native-community/cli/commit/a8293dc29425f56249753507bc24d87b698d46e1

Url: https://x.com/SzymonRybczak/status/1986199665000566848

Url: https://github.com/react-native-community/cli/commit/5a792169d9883e0b0fb1ddf1ea46778f21510d18

Url: https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability

Url: https://github.com/react-native-community/cli/pull/1615

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-11953

Url: https://x.com/szymonrybczak/status/1986199665000566848?s=46

Url: https://github.com/react-native-community/cli/releases/tag/v20.0.0

Url: https://github.com/react-native-community/cli/issues/2733#issuecomment-3502424164

Url: https://www.mend.io/vulnerability-database/CVE-2025-11953

Severity Score

9.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

Top Fix

Upgrade Version

Upgrade to version @react-native-community/cli-server-api - 20.0.0;@react-native-community/cli-server-api - 20.0.0;@react-native-community/cli-server-api - 19.1.2;@react-native-community/cli-server-api - 18.0.1;@react-native-community/cli - 20.0.0;@react-native-community/cli - 19.1.2;@react-native-community/cli - 18.0.1;@react-native-community/cli - 17.0.1;https://github.com/react-native-community/cli.git - v20.0.0

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-11953

Good to know:

Date: November 3, 2025

Severity Score

Related Resources (15)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?