Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2025-11953
PUBLISHED
More InfoOfficial Page
Assigner-JFROG
Assigner Org ID-48a46f29-ae42-4e1d-90dd-c1676c1e5e6d
View Known Exploited Vulnerability (KEV) details
Published At-03 Nov, 2025 | 16:35
Updated At-06 Feb, 2026 | 04:55
Rejected At-
▼CVE Numbering Authority (CNA)
Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Affected Products
Collection URL
https://www.npmjs.com
Package Name
@react-native-community/cli-server-api
Default Status
unaffected
Versions
Affected
  • From 4.8.0 before 20.0.0 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-78CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Type: CWE
CWE ID: CWE-78
Description: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability
technical-description
https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
patch
Hyperlink: https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability
Resource:
technical-description
Hyperlink: https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
Resource:
patch
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
kev
dateAdded:
2026-02-05
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
CVE-2025-11953 added to CISA KEV2026-02-05 00:00:00
Event: CVE-2025-11953 added to CISA KEV
Date: 2026-02-05 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.vulncheck.com/blog/metro4shell_eitw
third-party-advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953
government-resource
Hyperlink: https://www.vulncheck.com/blog/metro4shell_eitw
Resource:
third-party-advisory
Hyperlink: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953
Resource:
government-resource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://x.com/SzymonRybczak/status/1986199665000566848
N/A
https://x.com/thymikee/status/1986770875954475375
N/A
Hyperlink: https://x.com/SzymonRybczak/status/1986199665000566848
Resource: N/A
Hyperlink: https://x.com/thymikee/status/1986770875954475375
Resource: N/A
Details not found