CVE-2025-11953

CriticalCISA KEVActive ExploitationPublic PoCRCE

Published: 03 November 2025

Published

03 November 2025

Modified

06 February 2026

KEV Added

05 February 2026

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.1862 95.3th percentile

Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11953 is a critical-severity OS Command Injection (CWE-78) vulnerability in React-Native-Community React Native Community Cli. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the command injection flaw in the Metro Development Server via available patches.

SI-10 Information Input Validation good match

prevent

Mandates validation of inputs at external interfaces to block OS command injection attacks via POST requests to the vulnerable endpoint.

CM-6 Configuration Settings good match

prevent

Enforces secure configuration settings to bind the development server only to localhost, preventing exposure to unauthenticated network attackers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.003 Windows Command Shell Execution

Adversaries may abuse the Windows command shell for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote command injection in a publicly exposed development server directly enables exploitation of public-facing applications (T1190) and execution of arbitrary Windows shell commands (T1059.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST…

request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Deeper analysisAI

CVE-2025-11953, published on 2025-11-03, is a critical OS command injection vulnerability (CWE-78) in the Metro Development Server launched by the React Native Community CLI. By default, the server binds to external interfaces and exposes an endpoint vulnerable to command injection, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated network attackers can exploit the vulnerability by sending a POST request to the affected endpoint, enabling execution of arbitrary executables. On Windows, attackers gain the ability to execute arbitrary shell commands with fully controlled arguments.

A patch addressing the issue is available in the React Native Community CLI via the commit at https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547. Further details on the vulnerability and mitigation are provided in the JFrog advisory at https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability. The vulnerability appears in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953, signaling active real-world exploitation.

Details

CWE(s): CWE-78
KEV Date Added: 05 February 2026

Affected Products

react-native-community

react native community cli

18.0.0, 20.0.0 · 19.0.0 — 19.1.2

CVEs Like This One

CVE-2024-50603Shared CWE-78both on KEV

CVE-2026-1731Shared CWE-78both on KEV

CVE-2025-48703Shared CWE-78both on KEV

CVE-2026-25108Shared CWE-78both on KEV

CVE-2025-1316Shared CWE-78both on KEV

CVE-2025-9377Shared CWE-78both on KEV

CVE-2025-66644Shared CWE-78both on KEV

CVE-2025-54948Shared CWE-78both on KEV

CVE-2025-58034Shared CWE-78both on KEV

CVE-2025-64328Shared CWE-78both on KEV

References

https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
Patch · reefs@jfrog.com
https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability
Exploit, Mitigation, Third Party Advisory · reefs@jfrog.com
https://x.com/SzymonRybczak/status/1986199665000566848
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://x.com/thymikee/status/1986770875954475375
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.vulncheck.com/blog/metro4shell_eitw
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0