AI description
CVE-2025-11953 is a vulnerability in the `@react-native-community/cli` NPM package, specifically affecting versions 4.8.0 through 20.0.0-alpha.2. This flaw stems from the Metro development server, used by React Native, binding to external interfaces by default and exposing an "/open-url" endpoint susceptible to OS command injection. The vulnerability allows unauthenticated network attackers to send a POST request to the server, running arbitrary executables. On Windows, attackers can execute arbitrary shell commands with fully controlled arguments. While macOS and Linux systems have slightly more restricted exploitation paths, researchers believe arbitrary command execution is achievable. The package has been patched in version 20.0.0.
- Description
- The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
- Source
- reefs@jfrog.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- reefs@jfrog.com
- CWE-78
- Hype score
- Not currently trending
Уязвимость React Native CLI: когда инструменты разработки становятся угрозой Обнаруженная в React Native Community CLI уязвимость CVE-2025-11953 ставит под удар не только конеч
@habr_com
24 Dec 2025
1297 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨Critical CVEs found in React server components and CLI: CVE-2025-55182 : https://t.co/5xh91es4ha CVE-2025-11953 : https://t.co/jNWozYvNsr
@ValkyriSecurity
3 Dec 2025
417 Impressions
1 Retweet
5 Likes
1 Bookmark
0 Replies
0 Quotes
🚨Critical CVEs found in React ecosystem : CVE-2025-55182 : https://t.co/5xh91es4ha CVE-2025-11953 : https://t.co/jNWozYvNsr
@ValkyriSecurity
3 Dec 2025
6 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
My feed rn with all the tweets about react2shell / CVE-2025-11953 https://t.co/yL0ClTFwOa
@0x_shaq
3 Dec 2025
206 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨 Web3 Mobile Devs: Your React Native Metro Server is a Sitting Duck for RCE Attacks! CVE-2025-11953 (CVSS 9.8) lets attackers on your network execute arbitrary OS commands via /open-url endpoint. No auth needed. Building wallets/dApps? This could drain testnets. Full report:
@omnipotentblock
3 Dec 2025
134 Impressions
1 Retweet
2 Likes
0 Bookmarks
1 Reply
0 Quotes
Ever seen a link open AND trigger calc.exe? 💥 #CVE202511953 #react Dissect CVE-2025-11953, a nasty Command Injection flaw in the React Native CLI that grants (RCE) See the demo, understand the risk, and PATCH TODAY! 🛡️ #InfoSec #DevSecOps #ReactNativeCLI #CommandInjec
@defhawk_specter
27 Nov 2025
56 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 React Native Community CLI [—] Nov 17, 2025 Product Security Advisory Report for React Native Community CLI, addressing CVE-2025-11953 and related security concerns. Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1... https://t.co/bgbEP93W4e
@transilienceai
17 Nov 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Falla crítica en React Native CLI (CVE-2025-11953) 📊 CVSS 9.8 | Ejecución remota sin autenticación ✅ 1.5M–2M descargas semanales ¡Actualiza a v20.0.0! #Ciberseguridad #ReactNative #DevSecOps https://t.co/Nua3OOWgKH
@trustlock_sec
11 Nov 2025
4 Impressions
0 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚩 Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks https://t.co/0hU2kunAr6 A severe vulnerability (CVE-2025-11953) in the @react-native-community/cli-server-api package allows unauthenticated attackers to execute arbitrary OS commands via a
@Huntio
10 Nov 2025
21 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
React Native、開発用CLIに重大な脆弱性-CVE-2025-11953 https://t.co/uc853h94UN #セキュリティ対策Lab #セキュリティ #Security #サイバー攻撃
@securityLab_jp
10 Nov 2025
15 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
😱 React Native CLI vuln CVE-2025-11953 (CVSS 9.8) lets hackers run code on dev machines. Patched in v20.0.0. Update! #DevSec
@CentlogixAgency
9 Nov 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical update! Our WAF now blocks a severe OS command injection vulnerability (CVE-2025-11953) in React Native Metro. Protect your developer workstations & CI/CD pipelines! 🛡️ New rule added to Managed Ruleset. https://t.co/V2YaP0bsfu
@mveracf
8 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Urgent WAF update! We've added protection against a critical React Native Metro command injection vulnerability (CVE-2025-11953). Blocking attempts to prevent potential remote code execution. Stay secure! 🛡️ https://t.co/Drr2eaWDkA
@CFchangelog
8 Nov 2025
215 Impressions
0 Retweets
4 Likes
0 Bookmarks
0 Replies
0 Quotes
Your app builds fine—because the CLI already built a backdoor. CVE-2025-11953: 9.8 CVSS, 0 auth, 1 HTTP request away from `rm -rf /`. Patch drops, downloads lag; supply chain drinks your .env while you sleep. Update or become the dependency horror story. https://t.co/sqT7fUTwLl
@geeknik
7 Nov 2025
125 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en productos React ❗CVE-2025-11953 ➡️Más info: https://t.co/20WtHsszpW https://t.co/f8BFauEnLo
@CERTpy
7 Nov 2025
71 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-11953 : Critical RCE Vulnerability Puts React Native Developers at Risk https://t.co/41Ws0iYswN
@_4dinata
7 Nov 2025
45 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Building with #ReactNative? If you run the Metro server locally, update now to fix CVE-2025-11953. An attacker on your Wi-Fi/LAN can hit /open-url and trigger OS commands. This only affects dev instances, however, patching is still strongly recommended. https://t.co/WMEUNEFeOm
@CheckmarxZero
6 Nov 2025
12 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical flaw (CVE-2025-11953) in a popular React Native NPM package allows arbitrary code execution on Windows, macOS & Linux — developers at risk! Patch immediately. More: https://t.co/YQnpr5AvEK Follow me for support.
@kernelpanicsec
5 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical flaw (CVE-2025-11953) in a popular React Native NPM package allows arbitrary code execution on Windows, macOS & Linux — developers at risk! Patch immediately. More: https://t.co/YQnpr5B3ui Follow us for support: @kernel_panic69
@kernelpanicsec
5 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-11953 : จุดอ่อนของ RCE ที่สําคัญทําให้ผู้พัฒนาพื้นเมืองตกอยู่ในความเสี่ยง https://t.co/69gOjCGTYF https://t.co/AGBODWRQDl
@freedomhack101
5 Nov 2025
100 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Warning: Critical vulnerability patched in the #React Native Community CLI NPM package. #CVE-2025-11953; CVSS 9.8, can lead to OS command execution. More information in our advisory: https://t.co/i6LXRJFUzY. Time to #Patch #Patch #Patch
@CCBalert
5 Nov 2025
29 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨CVE-2025-11953: Command Injection in React Native Metro Server allows unauthenticated remote attacks. Lock down your dev environment & watch for updates! More: https://t.co/BIfChq6tEr #DevSecOps #CyberRisk https://t.co/vzSLLip8y7
@rapidriskradar
5 Nov 2025
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🗞️ A critical vulnerability (CVE-2025-11953) has been discovered in the @react-native-community/cli npm package, affecting millions of developers. The flaw allows remote unauthenticated attackers to execute arbitrary OS commands on machines running the development server.
@gossy_84
5 Nov 2025
17 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
ثغرة في خادم Metro ضمن React Native CLI سمحت بتنفيذ أوامر في النظام دون مصادقة. JFrog كشفتها برقم CVE-2025-11953 وMeta أغلقتها في الإصدار 20.0.0. الدرس؟ حتى أدوات التطوير تحتاج تأ
@Arageek
5 Nov 2025
295 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 آسیبپذیری بحرانی در React Native CLI میلیونها توسعهدهنده را در معرض حملات RCE قرار داد! نقص CVE-2025-11953# به مهاجمان اجازه میداد دستورات دلخواه سیستمعامل را
@vulnerbyte
5 Nov 2025
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk https://t.co/YbthHwWuz1 #appsec
@eyalestrin
5 Nov 2025
19 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk https://t.co/WTTglaACTG via @jfrog
@kaly7dev
5 Nov 2025
66 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
React Native CLI脆弱性CVE-2025-11953でRCE、開発者に脅威 https://t.co/ZK8R874o2V #Security #セキュリティー #ニュース
@SecureShield_
5 Nov 2025
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨CVE-2025-11953(CVSS 9.8): Unauthenticated RCE in React Native CLI The Metro server is reachable by default and contains an unauthenticated command-injection flaw that allows RCE. Search by vul.cve Filter👉vul.cve="CVE-2025-11953" ZoomEye Dork👉app="React Native Commu
@zoomeye_team
5 Nov 2025
10712 Impressions
31 Retweets
88 Likes
34 Bookmarks
2 Replies
2 Quotes
🚨 Critical RCE Flaw in Popular React Native NPM Package Exposes Developers to Attacks Read more: https://t.co/E3xaKUIUkQ A critical remote code execution (RCE) vulnerability tracked as CVE-2025-11953 in the @ react-native-community/cli NPM package. With nearly 2 million ht
@The_Cyber_News
5 Nov 2025
2388 Impressions
16 Retweets
30 Likes
12 Bookmarks
0 Replies
1 Quote
CVE-2025-11953 Critical RCE in React Native CLI - https://t.co/eDI87OhZqm
@piedpiper1616
5 Nov 2025
858 Impressions
4 Retweets
9 Likes
3 Bookmarks
0 Replies
0 Quotes
React Native開発者に深刻な脅威。人気NPMパッケージ「@react-native-community/cli」にリモートから任意コードを実行される恐れのある脆弱性が発覚した。影響は世界で毎週200万件超のダウンロードに及ぶ。 JFrogが発見
@yousukezan
4 Nov 2025
1213 Impressions
4 Retweets
9 Likes
3 Bookmarks
0 Replies
0 Quotes
Falha crítica no React Native CLI permite execução remota de comandos: Vulnerabilidade CVE-2025-11953 no pacote @react-native-community/cli, agora corrigida, permitia execução remota de OS commands sem autenticação, afetando desenvolvedores que usam Metro server. https://t
@caveiratech
4 Nov 2025
54 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
آسیبپذیری بحرانی در بسته محبوب react-native کشف شد که میتواند توسط مهاجمان غیرمجاز برای اجرای دستورات مخرب سیستم عامل سوءاستفاده شود. این نقص امنیتی که با ش
@Teeegra
4 Nov 2025
609 Impressions
0 Retweets
9 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk https://t.co/yPPbGnb8yy https://t.co/TT8cAmo5Un
@secharvesterx
4 Nov 2025
63 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical flaw (CVE-2025-11953) in the React Native Community CLI package allows unauthenticated remote command execution via POST requests. Meta released v20.0.0 to fix the issue. #ReactNative #NPMpackage #USA https://t.co/ptm54Yoykn
@TweetThreatNews
4 Nov 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-11953: RCE critico in React Native CLI espone sviluppatori a comandi remoti Vulnerabilità, CLI, JFrog, rce, react native https://t.co/OCej6M3LF4 https://t.co/T08RW89tNz
@matricedigitale
4 Nov 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical RCE Vulnerability CVE-2025-11953 Puts React Native Developers at Risk https://t.co/fX2x0A91Li
@_r_netsec
4 Nov 2025
1037 Impressions
1 Retweet
3 Likes
4 Bookmarks
0 Replies
0 Quotes
⚠️ Heads up, React Native devs: We've just disclosed CVE-2025-11953, a critical CVSS 9.8 RCE vulnerability in the React Native CLI. 🚩The risk: An unauthenticated network attacker can get #RCE on your machine via the running dev server. Full technical breakdown & miti
@jfrog
4 Nov 2025
7482 Impressions
3 Retweets
13 Likes
4 Bookmarks
0 Replies
4 Quotes
[CVE-2025-11953: CRITICAL] Beware of the security risk in React Native CLI! Metro Development Server exposes a vulnerable endpoint to OS command injection, enabling attackers to run arbitrary executables.#cve,CVE-2025-11953,#cybersecurity https://t.co/V0bIRaWjiq https://t.co/5dbP
@CveFindCom
3 Nov 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
**CVE-2025-11953** pertains to a critical security flaw within the Metro Development Server used in React Native development environments. By default, this server binds to external interfaces, making it accessible beyond the local machine. The exposed server endpoint allows
@CveTodo
3 Nov 2025
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-11953 The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to O… https://t.co/PGT3QIG8Qk
@CVEnew
3 Nov 2025
279 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes