What is the CVSS score of CVE-2025-11953?

CVE-2025-11953 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 3.4%.

Which versions of Windows are affected by CVE-2025-11953?

CVE-2025-11953 presents critical security risk, a OS command injection vulnerability rated CVSS 9.8.. A patch is available.

Is there a public PoC exploit available for CVE-2025-11953?

Yes, a public proof-of-concept exploit is available for CVE-2025-11953. Prioritise patching immediately. EPSS: 3.4%.

How to fix or mitigate CVE-2025-11953?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Validate that input sanitization is in place for all user-controlled parameters.

Windows CVE-2025-11953

CRITICAL

OS Command Injection (CWE-78)

2025-11-03 reefs@jfrog.com

Windows Command Injection Microsoft Red Hat React Native Community Cli

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:20 vuln.today

Patch released

Mar 28, 2026 - 19:20 nvd

Patch available

Added to CISA KEV

Feb 06, 2026 - 19:43 cisa

CISA KEV

PoC Detected

Feb 06, 2026 - 19:43 vuln.today

Public exploit code

CVE Published

Nov 03, 2025 - 17:15 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on @react-native-community/cli-server-api (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 20.0.0-alpha.0.

DescriptionNVD

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

AnalysisAI

React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.

Technical ContextAI

The CWE-78 command injection in the Metro dev server's API endpoint processes POST requests that execute system commands. The server binds to 0.0.0.0 by default, making it accessible to anyone on the network.

RemediationAI

Apply the patch. Configure Metro to bind to localhost only. Never run dev servers on untrusted networks.

More from same product – last 7 days

CVE-2026-10044 HIGH This Week POC

7.5 May 28

{filename} endpoint. The flawed traversal filter only rejects forward slashes and '..' sequences, leaving absolute Windo

CVE-2026-40412 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil

CVE-2026-41104 CRITICAL Monitor

10.0 May 22

Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal

CVE-2026-23652 CRITICAL Monitor

10.0 May 22

Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-

CVE-2026-47280 CRITICAL Monitor

10.0 May 22

Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti

Vendor StatusVendor

CVE-2025-11953 vulnerability details – vuln.today

Back

Windows CVE-2025-11953

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code