CVE-2025-11953CRITICAL · 9.8TrackedCISA KEV

React Native Community · CLI

React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.

Disclosed

2025-11-03

218 days ago

Status

no honeypot capture yet

on CISA KEV — watching

7-day events

across 0 distinct IPs

7-day spread

0 ASN · 0 cty

0 active days

Top ASNs

No events captured yet.

Top countries

No events captured yet.

References

https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
https://github.com/react-native-community/cli/pull/2735
https://nvd.nist.gov/vuln/detail/CVE-2025-11953

↗ NVD ↗ CISA KEV ↗ Search analyses