Critical OS Command Injection Report: CVE-2025-11953
1. Executive Summary
CVE-2025-11953 is a Critical (CVSS 9.8) OS Command Injection vulnerability found in the React Native Community CLI's Metro development server.
| Component | Vulnerability Type | CVSS Score | Impact |
|---|---|---|---|
| @react-native-community/cli-server-api (4.8.0 - 20.0.0-alpha.2) | OS Command Injection (CWE-78) | 9.8 (Critical) | Unauthenticated Remote Code Execution on the developer's machine. |
The flaw exists because the Metro dev server's /open-url HTTP endpoint improperly processes user input, passing it directly to an unsafe open() function that executes a system shell command. Since the server binds to all network interfaces by default, an unauthenticated attacker on the same network can send a crafted POST request to this endpoint to execute arbitrary OS commands on the developer's system.
This results in a complete loss of Confidentiality, Integrity, and Availability, potentially leading to full system compromise.
2. Basic Identification & Classification
| Category | Detail |
|---|---|
| CVE ID | CVE-2025-11953 |
| Title | React Native Metro Development Server OS Command Injection (Critical RCE) |
| CWE Type | CWE-78 – Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) |
| Affected Product | React Native Community CLI (Metro dev server) and its component: @react-native-community/cli-server-api |
| Vulnerable Versions | 4.8.0 through 20.0.0-alpha.2 |
| Fixed Version | v20.0.0 and later of both the CLI and cli-server-api |
3. Technical Description
The vulnerability is rooted in the Metro dev server's openURLMiddleware.
- Default Configuration: When a React Native project starts, the CLI launches the Metro dev server (default port 8081). By default, it listens on all network interfaces (0.0.0.0), making it remotely accessible.
- Vulnerable Endpoint: The server exposes the
POST /open-urlHTTP endpoint, which is used internally during development to open files or URLs (e.g., refreshing documentation). - Unsafe Command Execution: This endpoint takes a JSON payload, such as `{\"url": ""}`, and calls the
open()function from the open NPM package. Crucially, the open() call executes a system shell command to open the provided URL. - OS Command Injection: Metro does not sanitize the user-supplied url value before passing it to the command execution. An attacker can embed shell metacharacters (like &&, ;, |) into the url value to inject and execute arbitrary OS commands.
🗺 Attack Mapping
The attack requires no authentication or specific user interaction. An attacker only needs network access to the developer's machine on port 8081.
Example Payload (Windows):
A request containing {"url":"C:\Windows\system.ini" && calc.exe"} will cause the server to execute the system command, launching calc.exe in addition to its intended function. This technique grants the attacker full shell command execution.
Note: Frameworks like Expo that use a different development server are generally not affected by this specific vulnerability.
4. Risk Assessment (CVSS v3.1)
| Metric | Value | Description |
|---|---|---|
| Base Score | 9.8 (Critical) | Reflects maximum severity due to network accessibility and full impact. |
| Vector String | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | AV:N (Network Attack Vector), AC:L (Low Attack Complexity), PR:N (No Privileges Required), UI:N (No User Interaction Required), C:H (High Confidentiality Impact), I:H (High Integrity Impact), A:H (High Availability Impact). |
| Impact | High | Successful exploitation leads to full remote code execution on the developer's system, allowing for data theft, code modification, and complete system disruption. |
| Exploit Status | Proof-of-Concept (PoC) Exists | Security researchers have publicly demonstrated the exploit, but there are no confirmed reports of in-the-wild attacks as the patch was released promptly. |
5. Remediation and Mitigation
✅ Primary Solution (Patch)
The immediate and definitive solution is to upgrade the affected packages:
- Target Version: Update the
@react-native-community/cli-server-apipackage to v20.0.0 or later. - CLI Upgrade: Alternatively, update the main React Native CLI to
v20.0.0+, which includes the patched component.
🛡 Temporary Mitigations/Workarounds
These steps should be implemented immediately until the patch can be deployed:
- Bind Metro to Localhost: Prevent remote connections by starting the development server with the --host flag.
- Example:
npx react-native start --host 127.0.0.1
- Example:
- Restrict Network Access: Use firewall rules or network access controls (ACLs) to block incoming connections to the Metro port (default 8081) from all untrusted external sources.
- Monitor & Audit: Watch development logs for suspicious POST requests targeting the /open-url endpoint.
6. References
- NVD: National Vulnerability Database entry for CVE-2025-11953.
- JFrog Security Research: Critical RCE Vulnerability CVE-2025-11953 analysis.
- The Hacker News: Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks.
- Snyk: Command Injection in @react-native-community/cli-server-api.
- CCB Belgium: Advisory on Critical React Native CLI vulnerability.
