What is CVE-2025-11953?

A critical OS command injection vulnerability in the React Native Community CLI could allow unauthenticated attackers to execute arbitrary commands. Organizations should prioritize patching immediately to mitigate risks associated with this vulnerability.

What is the severity of CVE-2025-11953?

CVE-2025-11953 has a severity rating of CRITICAL with a CVSS base score of 9.8.

Is CVE-2025-11953 in CISA KEV?

Yes. CVE-2025-11953 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2025-11953 | Critical Vulnerability in React Native Community CLI

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

The CVSS score for this vulnerability is 9.8, indicating a critical severity level. This means that the potential impact on organizations is significant, as attackers may leverage this vulnerability to gain unauthorized access to systems and execute malicious commands. Organizations should prioritize patching immediately.

The vulnerability is actively tracked in the Known Exploited Vulnerabilities catalog, highlighting its urgency for remediation. The presence of known exploits further emphasizes the critical nature of this vulnerability.

Organizations using the affected versions of the React Native Community CLI need to take immediate action to protect their systems and data from potential exploitation.

Vulnerability Details

This vulnerability allows an attacker to execute arbitrary commands on the affected system. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')). The affected product is the React Native Community CLI, specifically versions 18.0.0, 19.0.0 through 19.1.2, and 20.0.0 alpha versions.

The vulnerability was published on November 3, 2025, and it is marked as analyzed. The impact on confidentiality, integrity, and availability is high, making this a significant risk for organizations.

Technical Analysis

The root cause of this vulnerability lies in the default configuration of the Metro Development Server, which binds to external interfaces. This configuration flaw allows attackers to send crafted POST requests to execute arbitrary commands.

The attack vector is network-based, requiring low complexity and no privileges to exploit. User interaction is not required, making it easier for attackers to leverage this vulnerability. The impacts include high confidentiality, integrity, and availability risks.

Risk & Impact Analysis

Risk to organizations includes unauthorized command execution, leading to potential data breaches, system manipulation, and complete system compromise. The blast radius is significant due to the ability of attackers to run arbitrary commands.

Organizations should assess their exposure to this vulnerability and prioritize remediation based on their risk profile. The urgency of addressing this vulnerability is critical, as the exploitation potential is high.

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

The following versions of the React Native Community CLI are affected: 18.0.0, all versions from 19.0.0 to 19.1.2, and the alpha versions of 20.0.0.

Mitigation & Remediation

Organizations should apply the patch provided by the React Native Community to remediate this vulnerability. For those unable to apply updates immediately, it is recommended to restrict access to the Metro Development Server to trusted networks only.

For further guidance on mitigation strategies, organizations may refer to the React Native Community's official communication.

Organizations should validate remediation through penetration testing to identify similar weaknesses.

Detection Guidance

Organizations should monitor logs for unusual activity, especially unauthorized POST requests to the Metro Development Server. Monitoring network traffic for attempts to exploit this vulnerability is also recommended.

AppSecure Threat Intelligence Insight

The significance of CVE-2025-11953 lies in its potential for widespread exploitation due to the default configuration of the Metro Development Server. This highlights the importance of secure default settings in development environments.

Security teams should enhance their threat detection capabilities to identify and respond to such vulnerabilities proactively. For more information on best practices, organizations can refer to the following resources: penetration testing methodology, vulnerability management program design, and API penetration testing to ensure comprehensive security coverage.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-11953: Critical Vulnerability in React Native Community CLI