CVE-2025-11953
📋 TL;DR
CVE-2025-11953 is a critical OS command injection vulnerability in the React Native Community CLI's Metro Development Server. Unauthenticated attackers can send POST requests to execute arbitrary commands on affected systems, potentially leading to complete system compromise. Developers using React Native with the vulnerable CLI are affected.
💻 Affected Systems
- React Native Community CLI
📦 What is this software?
React Native Community Cli by React Native Community
React Native Community Cli by React Native Community
React Native Community Cli by React Native Community
React Native Community Cli by React Native Community
React Native Community Cli by React Native Community
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with attacker gaining full control, data exfiltration, ransomware deployment, and lateral movement across networks.
Likely Case
Remote code execution leading to malware installation, credential theft, and backdoor persistence on developer workstations.
If Mitigated
Limited impact if server is not internet-facing and proper network segmentation is in place.
🎯 Exploit Status
CISA has added this to their Known Exploited Vulnerabilities catalog, confirming active exploitation. Simple HTTP POST requests can trigger the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 13.6.0 and later
Vendor Advisory: https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
Restart Required: Yes
Instructions:
1. Update React Native Community CLI to version 13.6.0 or later. 2. Run: npm update @react-native-community/cli. 3. Restart any running Metro Development Servers. 4. Verify the update with: npx @react-native-community/cli --version.
🔧 Temporary Workarounds
Disable external interface binding
allConfigure Metro Development Server to bind only to localhost instead of external interfaces
export REACT_NATIVE_PACKAGER_HOSTNAME=127.0.0.1
set REACT_NATIVE_PACKAGER_HOSTNAME=127.0.0.1
Firewall restriction
allBlock external access to Metro Development Server port (default 8081)
sudo ufw deny 8081
netsh advfirewall firewall add rule name="Block Metro" dir=in action=block protocol=TCP localport=8081
🧯 If You Can't Patch
- Immediately stop using the Metro Development Server in production or internet-facing environments
- Implement strict network segmentation to isolate systems running vulnerable versions from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check CLI version with: npx @react-native-community/cli --version. If version is below 13.6.0, you are vulnerable.Check Version:
npx @react-native-community/cli --versionVerify Fix Applied:
Confirm version is 13.6.0 or higher with: npx @react-native-community/cli --version. Also verify Metro server is not accessible from external networks.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Metro server endpoints
- Suspicious command execution in system logs from Metro process
- Unexpected network connections from Metro server
Network Indicators:
- POST requests to /onchange endpoint with command injection payloads
- Outbound connections from Metro server to suspicious IPs
- Traffic on port 8081 from external sources
SIEM Query:
source="metro-server" AND (method="POST" AND uri_path="/onchange" AND (body CONTAINS "cmd" OR body CONTAINS "powershell" OR body CONTAINS "bash"))🔗 References
- https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
- https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability
- https://x.com/SzymonRybczak/status/1986199665000566848
- https://x.com/thymikee/status/1986770875954475375
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953
- https://www.vulncheck.com/blog/metro4shell_eitw
