# π¨ Critical Vulnerability Report: CVE-2025-11953
## 1. Executive Summary
**CVE-2025-11953** is a **Critical (CVSS 9.8)** Remote Code Execution (RCE) vulnerability found in the **React Native Community CLI's Metro development server**.
| Component | Vulnerability Type | CVSS Score | Impact |
| :--- | :--- | :--- | :--- |
| **@react-native-community/cli-server-api** (4.8.0 - 20.0.0-alpha.2) | OS Command Injection (CWE-78) | **9.8 (Critical)** | **Unauthenticated Remote Code Execution** on the developer's machine. |
The flaw exists because the Metro dev server's **/open-url** HTTP endpoint improperly processes user input, passing it directly to an unsafe `open()` function that executes a system shell command. Since the server **binds to all network interfaces by default**, an unauthenticated attacker on the same network can send a crafted POST request to this endpoint to execute arbitrary OS commands on the developer's system.
This results in a complete loss of **Confidentiality, Integrity, and Availability**, potentially leading to full system compromise.
---
## 2. Basic Identification & Classification
| Category | Detail |
| :--- | :--- |
| **CVE ID** | CVE-2025-11953 |
| **Title** | React Native Metro Development Server OS Command Injection (Critical RCE) |
| **CWE Type** | **CWE-78** β Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) |
| **Affected Product** | React Native Community CLI (Metro dev server) and its component: **@react-native-community/cli-server-api** |
| **Vulnerable Versions** | **4.8.0 through 20.0.0-alpha.2** |
| **Fixed Version** | **v20.0.0** and later of both the CLI and `cli-server-api` |
---
## 3. Technical Description
The vulnerability is rooted in the **Metro dev server's `openURLMiddleware`**.
1. **Default Configuration:** When a React Native project starts, the CLI launches the Metro dev server (default port **8081**). By default, it listens on all network interfaces (`0.0.0.0`), making it remotely accessible.
2. **Vulnerable Endpoint:** The server exposes the **`POST /open-url`** HTTP endpoint, which is used internally during development to open files or URLs (e.g., refreshing documentation).
3. **Unsafe Command Execution:** This endpoint takes a JSON payload, such as `{"url": "<some-url>"}`, and calls the **`open()`** function from the `open` NPM package. Crucially, the `open()` call executes a system shell command to open the provided URL.
4. **OS Command Injection:** Metro **does not sanitize** the user-supplied `url` value before passing it to the command execution. An attacker can embed shell metacharacters (like `&&`, `;`, `|`) into the `url` value to inject and execute arbitrary OS commands.
### πΊοΈ Attack Mapping
The attack requires no authentication or specific user interaction. An attacker only needs network access to the developer's machine on port 8081.
**Example Payload (Windows):**
A request containing `{"url":"C:\\Windows\\system.ini\" && calc.exe"}` will cause the server to execute the system command, launching `calc.exe` in addition to its intended function. This technique grants the attacker full shell command execution.
> **Note:** Frameworks like **Expo** that use a different development server are generally **not affected** by this specific vulnerability.
---
## 4. Risk Assessment (CVSS v3.1)
| Metric | Value | Description |
| :--- | :--- | :--- |
| **Base Score** | **9.8 (Critical)** | Reflects maximum severity due to network accessibility and full impact. |
| **Vector String** | **AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H** | **AV:N** (Network Attack Vector), **AC:L** (Low Attack Complexity), **PR:N** (No Privileges Required), **UI:N** (No User Interaction Required), **C:H** (High Confidentiality Impact), **I:H** (High Integrity Impact), **A:H** (High Availability Impact). |
| **Impact** | **High** | Successful exploitation leads to **full remote code execution** on the developer's system, allowing for data theft, code modification, and complete system disruption. |
| **Exploit Status** | **Proof-of-Concept (PoC) Exists** | Security researchers have publicly demonstrated the exploit, but there are no confirmed reports of in-the-wild attacks as the patch was released promptly. |
---
## 5. Remediation and Mitigation
### β Primary Solution (Patch)
The immediate and definitive solution is to **upgrade** the affected packages:
* **Target Version:** Update the **@react-native-community/cli-server-api** package to **v20.0.0 or later**.
* **CLI Upgrade:** Alternatively, update the main **React Native CLI to v20.0.0+**, which includes the patched component.
### π‘οΈ Temporary Mitigations/Workarounds
These steps should be implemented immediately until the patch can be deployed:
1. **Bind Metro to Localhost:** Prevent remote connections by starting the development server with the `--host` flag.
* **Example:** `npx react-native start --host 127.0.0.1`
2. **Restrict Network Access:** Use **firewall rules** or network access controls (ACLs) to block incoming connections to the Metro port (default **8081**) from all untrusted external sources.
3. **Monitor & Audit:** Watch development logs for suspicious `POST` requests targeting the `/open-url` endpoint.
---
## 6. References
* **NVD:** National Vulnerability Database entry for [CVE-2025-11953](https://nvd.nist.gov).
* **JFrog Security Research:** Critical RCE Vulnerability [CVE-2025-11953 analysis](https://jfrog.com).
* **The Hacker News:** [Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks](https://thehackernews.com).
* **Snyk:** Command Injection in [@react-native-community/cli-server-api](https://security.snyk.io).
* **CCB Belgium:** Advisory on [Critical React Native CLI vulnerability](https://ccb.belgium.be).
Sign in with Wallet
Connect another wallet