Vulnerability DatabaseCVE-2025-11953
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2025-11953
November 03, 2025
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Affected Packages
https://github.com/react-native-community/cli.git (GITHUB):
Affected version(s) >=v19.0.0-alpha.0 <v19.1.2
Fix Suggestion:
Update to version v19.1.2
https://github.com/react-native-community/cli.git (GITHUB):
Affected version(s) >=v20.0.0-alpha.0 <v20.0.0
Fix Suggestion:
Update to version v20.0.0
https://github.com/react-native-community/cli.git (GITHUB):
Affected version(s) =v18.0.0 <v18.0.1
Fix Suggestion:
Update to version v18.0.1
@react-native-community/cli (NPM):
Affected version(s) >=20.0.0-alpha.0 <20.0.0
Fix Suggestion:
Update to version 20.0.0
@react-native-community/cli (NPM):
Affected version(s) >=19.0.0-alpha.0 <19.1.2
Fix Suggestion:
Update to version 19.1.2
@react-native-community/cli-server-api (NPM):
Affected version(s) >=20.0.0-alpha.0 <20.0.0
Fix Suggestion:
Update to version 20.0.0
@react-native-community/cli (NPM):
Affected version(s) =18.0.0 <18.0.1
Fix Suggestion:
Update to version 18.0.1
@react-native-community/cli-server-api (NPM):
Affected version(s) =18.0.0 <18.0.1
Fix Suggestion:
Update to version 18.0.1
@react-native-community/cli-server-api (NPM):
Affected version(s) >=19.0.0-alpha.0 <19.1.2
Fix Suggestion:
Update to version 19.1.2
Additional Notes
The description of this vulnerability differs from MITRE.
Related ResourcesĀ (16)
https://x.com/szymonrybczak/status/1986199665000566848?s=46
https://nvd.nist.gov/vuln/detail/CVE-2025-11953
https://github.com/react-native-community/cli/commit/a8293dc29425f56249753507bc24d87b698d46e1
https://github.com/react-native-community/cli/commit/5a792169d9883e0b0fb1ddf1ea46778f21510d18
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953
https://www.vulncheck.com/blog/metro4shell_eitw
https://github.com/react-native-community/cli?tab=readme-ov-file#compatibility
https://x.com/thymikee/status/1986770875954475375
https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
https://github.com/react-native-community/cli
https://x.com/SzymonRybczak/status/1986199665000566848
https://github.com/react-native-community/cli/releases/tag/v20.0.0
https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability
https://github.com/react-native-community/cli/issues/2733#issuecomment-3502424164
https://github.com/react-native-community/cli/commit/9e1fa8cc633e5dcf32244ffa60a871880be56722
https://github.com/react-native-community/cli/pull/1615
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
ATTACKED
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Exploit Maturity
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-78
EPSS
Base Score:
7.71