React Native Community Cli
CVE-2025-11953
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 npm packages depend on @react-native-community/cli-server-api (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 20.0.0-alpha.0.
DescriptionCVE.org
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
AnalysisAI
React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.
Technical ContextAI
The CWE-78 command injection in the Metro dev server's API endpoint processes POST requests that execute system commands. The server binds to 0.0.0.0 by default, making it accessible to anyone on the network.
RemediationAI
Apply the patch. Configure Metro to bind to localhost only. Never run dev servers on untrusted networks.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today