CVE-2025-11953

Published Nov 3, 2025

Last updated 2 days ago

CVSS critical 9.8

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-11953 is a vulnerability in the `@react-native-community/cli` NPM package, specifically affecting versions 4.8.0 through 20.0.0-alpha.2. This flaw stems from the Metro development server, used by React Native, binding to external interfaces by default and exposing an "/open-url" endpoint susceptible to OS command injection. The vulnerability allows unauthenticated network attackers to send a POST request to the server, running arbitrary executables. On Windows, attackers can execute arbitrary shell commands with fully controlled arguments. While macOS and Linux systems have slightly more restricted exploitation paths, researchers believe arbitrary command execution is achievable. The package has been patched in version 20.0.0.

Description
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Source
reefs@jfrog.com
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

reefs@jfrog.com
CWE-78

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

33

  1. 🚨 Critical flaw (CVE-2025-11953) in a popular React Native NPM package allows arbitrary code execution on Windows, macOS & Linux — developers at risk! Patch immediately. More: https://t.co/YQnpr5AvEK Follow me for support.

    @kernelpanicsec

    5 Nov 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 Critical flaw (CVE-2025-11953) in a popular React Native NPM package allows arbitrary code execution on Windows, macOS & Linux — developers at risk! Patch immediately. More: https://t.co/YQnpr5B3ui Follow us for support: @kernel_panic69

    @kernelpanicsec

    5 Nov 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-11953 : จุดอ่อนของ RCE ที่สําคัญทําให้ผู้พัฒนาพื้นเมืองตกอยู่ในความเสี่ยง https://t.co/69gOjCGTYF https://t.co/AGBODWRQDl

    @freedomhack101

    5 Nov 2025

    93 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Warning: Critical vulnerability patched in the #React Native Community CLI NPM package. #CVE-2025-11953; CVSS 9.8, can lead to OS command execution. More information in our advisory: https://t.co/i6LXRJFUzY. Time to #Patch #Patch #Patch

    @CCBalert

    5 Nov 2025

    29 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. 🚨CVE-2025-11953: Command Injection in React Native Metro Server allows unauthenticated remote attacks. Lock down your dev environment & watch for updates! More: https://t.co/BIfChq6tEr #DevSecOps #CyberRisk https://t.co/vzSLLip8y7

    @rapidriskradar

    5 Nov 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🗞️ A critical vulnerability (CVE-2025-11953) has been discovered in the @react-native-community/cli npm package, affecting millions of developers. The flaw allows remote unauthenticated attackers to execute arbitrary OS commands on machines running the development server.

    @gossy_84

    5 Nov 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  7. ثغرة في خادم Metro ضمن React Native CLI سمحت بتنفيذ أوامر في النظام دون مصادقة. JFrog كشفتها برقم CVE-2025-11953 وMeta أغلقتها في الإصدار 20.0.0. الدرس؟ حتى أدوات التطوير تحتاج تأ

    @Arageek

    5 Nov 2025

    293 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 آسیب‌پذیری بحرانی در React Native CLI میلیون‌ها توسعه‌دهنده را در معرض حملات RCE قرار داد! نقص CVE-2025-11953# به مهاجمان اجازه می‌داد دستورات دلخواه سیستم‌عامل را

    @vulnerbyte

    5 Nov 2025

    60 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk https://t.co/YbthHwWuz1 #appsec

    @eyalestrin

    5 Nov 2025

    19 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk https://t.co/WTTglaACTG via @jfrog

    @kaly7dev

    5 Nov 2025

    66 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. React Native CLI脆弱性CVE-2025-11953でRCE、開発者に脅威 https://t.co/ZK8R874o2V #Security #セキュリティー #ニュース

    @SecureShield_

    5 Nov 2025

    50 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. 🚨🚨CVE-2025-11953(CVSS 9.8): Unauthenticated RCE in React Native CLI The Metro server is reachable by default and contains an unauthenticated command-injection flaw that allows RCE. Search by vul.cve Filter👉vul.cve="CVE-2025-11953" ZoomEye Dork👉app="React Native Commu

    @zoomeye_team

    5 Nov 2025

    10712 Impressions

    31 Retweets

    88 Likes

    34 Bookmarks

    2 Replies

    2 Quotes

  13. 🚨 Critical RCE Flaw in Popular React Native NPM Package Exposes Developers to Attacks Read more: https://t.co/E3xaKUIUkQ A critical remote code execution (RCE) vulnerability tracked as CVE-2025-11953 in the @ react-native-community/cli NPM package. With nearly 2 million ht

    @The_Cyber_News

    5 Nov 2025

    2388 Impressions

    16 Retweets

    30 Likes

    12 Bookmarks

    0 Replies

    1 Quote

  14. CVE-2025-11953 Critical RCE in React Native CLI - https://t.co/eDI87OhZqm

    @piedpiper1616

    5 Nov 2025

    858 Impressions

    4 Retweets

    9 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  15. React Native開発者に深刻な脅威。人気NPMパッケージ「@react-native-community/cli」にリモートから任意コードを実行される恐れのある脆弱性が発覚した。影響は世界で毎週200万件超のダウンロードに及ぶ。 JFrogが発見

    @yousukezan

    4 Nov 2025

    1213 Impressions

    4 Retweets

    9 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  16. Falha crítica no React Native CLI permite execução remota de comandos: Vulnerabilidade CVE-2025-11953 no pacote @react-native-community/cli, agora corrigida, permitia execução remota de OS commands sem autenticação, afetando desenvolvedores que usam Metro server. https://t

    @caveiratech

    4 Nov 2025

    54 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  17. آسیب‌پذیری بحرانی در بسته محبوب react-native کشف شد که می‌تواند توسط مهاجمان غیرمجاز برای اجرای دستورات مخرب سیستم عامل سوءاستفاده شود. این نقص امنیتی که با ش

    @Teeegra

    4 Nov 2025

    609 Impressions

    0 Retweets

    9 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  18. Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk https://t.co/yPPbGnb8yy https://t.co/TT8cAmo5Un

    @secharvesterx

    4 Nov 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. A critical flaw (CVE-2025-11953) in the React Native Community CLI package allows unauthenticated remote command execution via POST requests. Meta released v20.0.0 to fix the issue. #ReactNative #NPMpackage #USA https://t.co/ptm54Yoykn

    @TweetThreatNews

    4 Nov 2025

    10 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. CVE-2025-11953: RCE critico in React Native CLI espone sviluppatori a comandi remoti Vulnerabilità, CLI, JFrog, rce, react native https://t.co/OCej6M3LF4 https://t.co/T08RW89tNz

    @matricedigitale

    4 Nov 2025

    53 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk https://t.co/fX2x0A91Li

    @_r_netsec

    4 Nov 2025

    1037 Impressions

    1 Retweet

    3 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  22. ⚠️ Heads up, React Native devs: We've just disclosed CVE-2025-11953, a critical CVSS 9.8 RCE vulnerability in the React Native CLI. 🚩The risk: An unauthenticated network attacker can get #RCE on your machine via the running dev server. Full technical breakdown & miti

    @jfrog

    4 Nov 2025

    7482 Impressions

    3 Retweets

    13 Likes

    4 Bookmarks

    0 Replies

    4 Quotes

  23. [CVE-2025-11953: CRITICAL] Beware of the security risk in React Native CLI! Metro Development Server exposes a vulnerable endpoint to OS command injection, enabling attackers to run arbitrary executables.#cve,CVE-2025-11953,#cybersecurity https://t.co/V0bIRaWjiq https://t.co/5dbP

    @CveFindCom

    3 Nov 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. **CVE-2025-11953** pertains to a critical security flaw within the Metro Development Server used in React Native development environments. By default, this server binds to external interfaces, making it accessible beyond the local machine. The exposed server endpoint allows

    @CveTodo

    3 Nov 2025

    46 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. CVE-2025-11953 The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to O… https://t.co/PGT3QIG8Qk

    @CVEnew

    3 Nov 2025

    279 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.