CVE-2025-11953
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-03

Last updated on: 2026-02-06

Assigner: JFrog

Description
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-03
Last Modified
2026-02-06
Generated
2026-06-16
AI Q&A
2025-11-03
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11953
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
react_native_community cli *
react-native-community react_native_community_cli From 19.0.0 (inc) to 19.1.2 (inc)
react-native-community react_native_community_cli 20.0.0
react-native-community react_native_community_cli 18.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Metro Development Server used by the React Native CLI, which binds to external interfaces by default. It exposes an endpoint vulnerable to OS command injection, allowing unauthenticated network attackers to send POST requests and execute arbitrary executables. On Windows systems, attackers can also run arbitrary shell commands with fully controlled arguments.

Impact Analysis

This vulnerability can have severe impacts as it allows unauthenticated attackers to execute arbitrary code on the affected system remotely. This can lead to full system compromise, including data theft, system disruption, or further attacks within the network.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart