External risk intelligence

React Native Community CLI OS Command Injection Vulnerability

CVE advisoryKnown Exploit

CVE-2025-11953

The React Native Community CLI's Metro Development Server has a vulnerability that allows unauthenticated network attackers to execute arbitrary commands. This can impact an organization's systems and data by enabling unauthorized code execution. The CISA has listed this vulnerability as actively exploited.

1Halo Surface Signal

OS Command Injection

React Native Community React Native Community Cli

19.0.0 to before 19.1.218.0.020.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-11953

The Metro Development Server is a local development tool used during the software build and debugging process. It is intended for use in isolated, developer-only environments on local machines or internal networks. It is not an internet-facing production service, and its default network binding behavior relates to local development workflows, not public-facing deployment.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The React Native Community CLI's Metro Development Server can be exploited by external attackers. This flaw enables attackers to execute arbitrary code on affected systems through network requests. The impact can include unauthorized system control and data compromise.

  • Vulnerable server component
  • OS command injection
  • Arbitrary code execution

Attack Path

How an attacker could exploit the issue

The React Native Community CLI's Metro Development Server, when exposed externally, presents an opportunity for attackers. By sending a crafted POST request to a specific endpoint, an unauthenticated network attacker can achieve command injection. This allows for the execution of arbitrary code or shell commands on the affected system, potentially leading to significant business risk.

  • External network exposure required.
  • Attacker sends POST request.
  • Executes arbitrary code or commands.

Live Threat

Current exploitation, exposure, and threat context

The React Native Community CLI contains a critical vulnerability allowing unauthenticated network attackers to execute arbitrary code. This occurs through an endpoint on the Metro Development Server, which binds to external interfaces by default. Attackers can send a POST request to run executables or, on Windows, shell commands with controlled arguments.

  • Likely attacker skill level: Basic.
  • Required access or conditions: Network access.
  • Business risk or urgency: High.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The React Native Community CLI's Metro Development Server has a vulnerability allowing unauthenticated attackers to execute arbitrary commands by sending a POST request to a specific endpoint. This could impact an organization's systems and data by allowing unauthorized code execution. The CISA has listed this vulnerability as actively exploited.

  • Find exposed assets.
  • Reduce exposure or isolate risk.
  • Apply vendor fix, verify, and monitor.

Frequently asked questions

What is the primary function of the React Native Community CLI?

The React Native Community CLI is a command-line interface tool that developers use to build and manage mobile applications with the React Native framework. It includes the Metro Development Server, which aids in development and debugging.

What type of vulnerability is CVE-2025-11953?

CVE-2025-11953 is an OS command injection vulnerability (CWE-78). This allows attackers to execute unintended operating system commands on a target system.

How can an attacker exploit CVE-2025-11953?

An unauthenticated network attacker can exploit this by sending a POST request to a specific endpoint on the Metro Development Server, leading to arbitrary executable or shell command execution.

What is the significance of CVE-2025-11953 according to the Halo Surface Signal?

Halo classifies this CVE as 'Very unlikely' to be exploited in a way that affects production environments, as the Metro Development Server is typically a local development tool, not an internet-facing production service.

What steps should be taken to address the CVE-2025-11953 vulnerability?

Organizations should identify exposed assets, reduce their exposure or isolate the risk, and apply vendor-provided fixes, followed by verification and monitoring.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified