CVE-2025-11953
📛 CVE Title
Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests
Description
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- JFROG
- CVSS severity
- CRITICAL
- CVSS score
- 9.8 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Effective score
- 9.8 / 10 CRITICAL source: CNA overview
- CWE(s)
-
CWE-78 - Reserved
- 2025-10-20
- Published
- 2025-11-03 16:35 UTC
- Last updated
- 2026-02-26 17:47 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/11xxx/CVE-2025-11953.json
- Linked Threat
- CVE-2025-11953 — React Native Community CLI: React Native Community CLI OS Command Injection Vulnerability
CISA Known Exploited Vulnerabilities CISA KEV
CISA has confirmed in-the-wild exploitation of this CVE. Federal agencies must remediate by the due date below; private orgs should treat it as priority-1.
- Vulnerability name
- React Native Community CLI OS Command Injection Vulnerability
- Vendor / project
- React Native Community
- Product
- CLI
- Date added to KEV
- 2026-02-05
- Remediation due
- 2026-02-26
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- Ransomware campaign use
- Unknown
- CISA notes
- This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547 ; https://github.com/react-native-community/cli/pull/2735 ; https://nvd.nist.gov/vuln/detail/CVE-2025-11953
- CISA listing
- www.cisa.gov/known-exploited-vulnerabilities-catalog
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- NVD published
- 2025-11-03 17:15:32 UTC
- NVD last modified
- 2026-02-06 19:43:47 UTC
- NVD CVSS v3.1
- 9.8 / 10 CRITICAL source: reefs@jfrog.com
- NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Exploitability subscore
- 3.9 / 10
- Impact subscore
- 5.9 / 10
- EPSS score
- 0.2968 (probability of exploitation in next 30 days)
- EPSS percentile
- 96.70% vs all CVEs — higher = more likely to be exploited, as of 2026-05-24
NVD / KEV / EPSS data refreshed 2026-05-25 05:55 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2025-37505 - Assigner
- JFROG
- Published
- Nov 3, 2025, 4:35:07 PM
- Updated
- Feb 26, 2026, 5:47:39 PM
- EUVD base score (CVSS 3.1)
-
9.8 / 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - EUVD-reported EPSS
- 20.1200
- Aliases
-
GHSA-399j-vxmf-hjvr
ENISA description: The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| — | — |
4.8.0 (affected)
|
— |
Affected products — CPE 2.3 (5) NVD
NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.
cpe:2.3:a:react-native-community:react_native_community_cli:*:*:*:*:*:*:*:*cpe:2.3:a:react-native-community:react_native_community_cli:18.0.0:*:*:*:*:*:*:*cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha0:*:*:*:*:*:*cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha1:*:*:*:*:*:*cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha2:*:*:*:*:*:*
Remediations (9)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:zecurit.com
Get the complete breakdown of Microsoft's May 2026 Patch Tuesday. We analyze the latest security updates and all critical CVEs .
2026-05-14 17:20 UTC -
web:attack.mitre.org
This mitigation can be implemented through the following measures: Regular Operating System Updates Implementation: Apply the latest Windows security updates monthly using WSUS (Windows Server Update Services) or a similar patch management solution. Configure systems to check for updates automatically and schedule reboots during maintenance ...
2026-05-14 17:20 UTC -
web:github.com
A new and improved community patch for BO3. . Contribute to shiversoftdev/t7patch development by creating an account on GitHub.
2026-05-14 17:20 UTC -
web:nvd.nist.gov
An official website of the United States government Here's how you know
2026-05-14 17:20 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-05-14 17:20 UTC -
web:adaptiva.com
OneSite Patch is an autonomous patch management solution that remediates vulnerabilities and patches third-party applications, Windows, drivers, and BIOS.
2026-05-14 17:20 UTC -
web:www.csa.gov.sg
Security researchers have identified a critical vulnerability ( CVE-2025-11953 ) in the React Native CLI NPM package. This vulnerabilitiy has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.8 out of 10.
2026-05-14 17:20 UTC -
web:www.tenable.com
Microsoft addresses 56 CVEs , including two publicly disclosed vulnerabilities and one zero-day that was exploited in the wild to close out the final Patch Tuesday of 2025
2026-05-14 17:20 UTC -
CISA KEV
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-02-26 Known ransomware campaign use: Unknown
2026-05-14 01:13 UTC
Vendor references (2)
References embedded in the original CVE record by the assigning CNA.
Web references (5)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
- https://attackerkb.com/topics/CVE-2025-11953 rapid7:attackerkb.com
- https://github.com/react-native-community/cli/security/advisories/GHSA-v98m-9686-p696 rapid7:github.com
- https://jfrog.com/blog/metro4shell-rce-vulnerability-in-react-native-metro-cve-2025-11953/ rapid7:jfrog.com
- https://nvd.nist.gov/vuln/detail/CVE-2025-11953 rapid7:nvd.nist.gov
- https://www.cve.org/CVERecord?id=CVE-2025-11953 rapid7:www.cve.org
NVD-tagged references (6)
Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.
- https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547 reefs@jfrog.com Patch
- https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability reefs@jfrog.com ExploitMitigationThird Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953 134c704f-9b21-4f2e-91b3-4a467353bcc0 US Government Resource
- https://www.vulncheck.com/blog/metro4shell_eitw 134c704f-9b21-4f2e-91b3-4a467353bcc0 ExploitThird Party Advisory
- https://x.com/SzymonRybczak/status/1986199665000566848 af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
- https://x.com/thymikee/status/1986770875954475375 af854a3a-2127-422b-91ae-364da2661108 Third Party Advisory
Indicators (2)
IOCs linked to the auto-promoted Threat row.
| Type | Value | VirusTotal | Attached |
|---|---|---|---|
| cwe |
CWE-78
|
no local data | 2026-05-14 02:58 UTC |
| cve |
CVE-2025-11953
|
no local data | 2026-05-14 02:58 UTC |
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2025-11953.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11953",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-06T04:55:17.609697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2026-02-05",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:39.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/blog/metro4shell_eitw"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T00:00:00.000Z",
"value": "CVE-2025-11953 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-11T17:06:16.919Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://x.com/SzymonRybczak/status/1986199665000566848"
},
{
"url": "https://x.com/thymikee/status/1986770875954475375"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.npmjs.com",
"defaultStatus": "unaffected",
"packageName": "@react-native-community/cli-server-api",
"versions": [
{
"lessThan": "20.0.0",
"status": "affected",
"version": "4.8.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "<p>The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.</p>"
}
],
"value": "The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-03T19:10:09.928Z",
"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"shortName": "JFROG"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability"
},
{
"tags": [
"patch"
],
"url": "https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d",
"assignerShortName": "JFROG",
"cveId": "CVE-2025-11953",
"datePublished": "2025-11-03T16:35:07.168Z",
"dateReserved": "2025-10-20T10:34:44.694Z",
"dateUpdated": "2026-02-26T17:47:39.982Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}