CVE-2025-11953
published 2025-11-03CVE-2025-11953: The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-26
Exploited in the wild
EPSS
61.94%
99.1th percentile
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| react-native-community | cli | >= 18.0.0 < 18.0.1 | 18.0.1 |
| react-native-community | cli | >= 19.0.0-alpha.0 < 19.1.2 | 19.1.2 |
| react-native-community | cli | >= 20.0.0-alpha.0 < 20.0.0 | 20.0.0 |
| react-native-community | cli-server-api | >= 18.0.0 < 18.0.1 | 18.0.1 |
| react-native-community | cli-server-api | >= 19.0.0-alpha.0 < 19.1.2 | 19.1.2 |
| react-native-community | cli-server-api | >= 20.0.0-alpha.0 < 20.0.0 | 20.0.0 |
| react-native-community | react_native_community_cli | — | — |
| react-native-community | react_native_community_cli | — | — |
| react-native-community | react_native_community_cli | >= 19.0.0 < 19.1.2 | 19.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for inbound HTTP POST requests to the /open-url endpoint on Metro development server ports; any external POST to this endpoint is anomalous and indicative of CVE-2025-11953 exploitation. ↗
- →Detect base-64 encoded PowerShell payloads delivered in HTTP POST body to Metro server endpoints; decode and inspect for Add-MpPreference Defender exclusion commands and outbound TCP connections. ↗
- →Hunt for approximately 3,500 internet-exposed React Native Metro servers using ZoomEye or similar EASM tools; prioritize patching or network-level blocking for any externally reachable Metro instances. ↗
- →Check Point IPS signature 'React Native Community CLI Command Injection (CVE-2025-11953)' can be used as a detection reference for network-level blocking. ↗
- →Exploitation activity (dubbed Metro4Shell) was first observed December 21, 2025, with follow-on waves on January 4 and January 21; use these dates to scope retrospective log hunting. ↗
- ·The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 only; version 20.0.0 and later are patched. Scope detection and patching efforts accordingly. ↗
- ·Exploitation complexity on Linux is significantly higher than on Windows; on Linux/macOS the attacker can only trigger pre-installed executables accessible to the affected program, whereas on Windows full arbitrary shell command execution with controlled arguments is possible. ↗
- ·Metro binds to external interfaces by default during development; this is a design default, not a misconfiguration, meaning any developer machine running Metro without firewall restrictions is exposed. ↗
- ·Despite active in-the-wild exploitation observed since December 2025, the vulnerability carries a low EPSS score; do not rely on EPSS or CISA KEV inclusion as the sole trigger for remediation prioritization. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
React Native Community CLI OS Command Injection Vulnerability
cisa·2026-02-05·CVSS 9.8
CVE-2025-11953 [CRITICAL] CWE-78 React Native Community CLI OS Command Injection Vulnerability
Vulnerability: React Native Community CLI OS Command Injection Vulnerability
Affected: React Native Community CLI
React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used
Red Hat
@react-native-community/cli-server-api: Command injection in React Native CLI
vendor_redhat·2025-11-03·CVSS 9.8
CVE-2025-11953 [CRITICAL] CWE-78 @react-native-community/cli-server-api: Command injection in React Native CLI
@react-native-community/cli-server-api: Command injection in React Native CLI
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
A command injection flaw has been discovered in the npm @react-native-community/cli-server-api package. URLs are not properly validated which may allow an attacker to execute local code which is already present on the host.
Statement: The complexity of exploitation on Linux is significantly higher than on
OSV
@react-native-community/cli has arbitrary OS command injection
osv·2025-11-03
CVE-2025-11953 [CRITICAL] @react-native-community/cli has arbitrary OS command injection
@react-native-community/cli has arbitrary OS command injection
The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
GHSA
@react-native-community/cli has arbitrary OS command injection
ghsa·2025-11-03
CVE-2025-11953 [CRITICAL] CWE-78 @react-native-community/cli has arbitrary OS command injection
@react-native-community/cli has arbitrary OS command injection
The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
VulnCheck
React Native Community CLI OS Command Injection Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-11953 [CRITICAL] CWE-78 React Native Community CLI OS Command Injection Vulnerability
React Native Community CLI OS Command Injection Vulnerability
React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.
Affected: React Native Community CLI
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-11953&date=2025-12-21; https://api.vulncheck.com/v3/index/vulnchec
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-11953 onnxruntime: Command injection in React Native CLI [fedora-42]
bugzilla·2025-11-03·CVSS 9.8
CVE-2025-11953 [CRITICAL] CVE-2025-11953 onnxruntime: Command injection in React Native CLI [fedora-42]
CVE-2025-11953 onnxruntime: Command injection in React Native CLI [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports fr
Checkpoint
9th February – Threat Intelligence Report
blogs_checkpoint·2026-02-09
CVE-2026-1281 9th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 9th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 9th February, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Romania’s national oil pipeline operator, Conpet, has suffered a cyberattack that disrupted its IT systems and took its website offline. The company said operational technology, including pipeline control and telecommunications systems, remained fully functional and oil transport continued without interruption. The attack
Bleepingcomputer
Hackers exploit critical React Native Metro bug to breach dev systems
blogs_bleepingcomputer·2026-02-03·CVSS 9.8
CVE-2025-11953 [CRITICAL] Hackers exploit critical React Native Metro bug to breach dev systems
## Hackers exploit critical React Native Metro bug to breach dev systems
## Bill Toulas
Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.
On Windows, an unauthenticated attacker can leverage the security issue to execute arbitrary OS commands via a POST request. On Linux and macOS, the vulnerability can lead to running arbitrary executables with limited parameter control.
Metro is the default JavaScript bundler for React Native projects, and it is essential for building and running applications in the development stage.
By default, Metro can bind to external network interfaces and expose development-only HTTP endpoints (/open-url) for local use during develo
Greynoiseio
NoiseLetter November 2025
blogs_greynoiseio
NoiseLetter November 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerabilityhttps://x.com/SzymonRybczak/status/1986199665000566848https://x.com/thymikee/status/1986770875954475375https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953https://www.vulncheck.com/blog/metro4shell_eitw
2025-11-03
Published
2026-02-05
Added to CISA KEV
Exploited in the wild