CVE-2025-11953

CRITICAL
2025-11-03 [email protected]
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Mar 28, 2026 - 19:20 vuln.today
Patch Released
Mar 28, 2026 - 19:20 nvd
Patch available
Added to CISA KEV
Feb 06, 2026 - 19:43 cisa
CISA KEV
PoC Detected
Feb 06, 2026 - 19:43 vuln.today
Public exploit code
CVE Published
Nov 03, 2025 - 17:15 nvd
CRITICAL 9.8

Tags

Command Injection Microsoft React Native Community Cli Windows Redhat

Description

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Analysis

React Native Metro Development Server binds to external interfaces by default and contains an OS command injection endpoint, allowing unauthenticated network attackers to execute arbitrary code.

Technical Context

The CWE-78 command injection in the Metro dev server's API endpoint processes POST requests that execute system commands. The server binds to 0.0.0.0 by default, making it accessible to anyone on the network.

Affected Products

['React Native Community CLI Metro Development Server']

Remediation

Apply the patch. Configure Metro to bind to localhost only. Never run dev servers on untrusted networks.

Priority Score

122
Low Medium High Critical
KEV: +50
EPSS: +3.4
CVSS: +49
POC: +20

Vendor Status

Share

CVE-2025-11953 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy