Fixing and finding

CVE ID

CVE-2025-11953

Published 2025-11-03

Updated 3 months ago

Vendor/s

React Native Community

Product/s

CLI

Version/s

19.0.0 > 19.1.2

KEV Status

Active Exploitation

Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.

CVSS Score (v3.1)

9.8

/ 10

Critical

Severity Details

Base score

9.8 Critical

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Description

CVE-2025-11953 is a critical (9.8) RCE vulnerability in React Native CLI's Metro server. Unauthenticated attackers can execute commands on dev machines.

CPE

React Native Community

Product	Version Start	Version End (excl.)	Status
react_native_community_cli	19.0.0	19.1.2	vulnerable
react_native_community_cli	18.0.0	18.0.0	vulnerable
react_native_community_cli	20.0.0	20.0.0	vulnerable
react_native_community_cli	20.0.0	20.0.0	vulnerable
react_native_community_cli	20.0.0	20.0.0	vulnerable

Related weakness (CWE)

CWE-78

Remediation plan

Apply official patches

Update the @react-native-community/cli package to the latest patched version provided by the React Native Community. Ensure that the Metro server configuration is updated to prevent binding to public network interfaces by default.

Update affected systems

Immediately upgrade systems running vulnerable versions, specifically version 18.0.0, versions between 19.0.0 and 19.1.1, and version 20.0.0. Ensure your project's package-json and lock files reflect these updates to prevent re-introduction.

Restrict access

Configure the Metro Development Server to bind only to localhost (127.0.0.1) instead of 0.0.0.0. Use local firewall rules or security groups to block external access to the default Metro port (usually 8081) from untrusted networks.

Monitor for exploitation

Audit system logs for suspicious POST requests targeting the Metro server endpoint and monitor for unexpected child processes spawned by the Node.js process associated with the React Native CLI, particularly shell executions like cmd.exe or /bin/sh.

Detection Guidance

Detect exploitation by monitoring network traffic for unauthorized POST requests to the Metro Development Server (default port 8081). On Windows hosts, look for the Node.js process spawning cmd.exe, powershell.exe, or other unexpected executables with suspicious arguments. Security teams should also scan for development environments exposing the Metro server to external interfaces and check for the presence of vulnerable versions in package-lock.json or yarn.lock files across the organization.

References

https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547 Patch https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability Exploit Mitigation Third Party Advisory https://x.com/SzymonRybczak/status/1986199665000566848 Third Party Advisory https://x.com/thymikee/status/1986770875954475375 Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953 US Government Resource https://www.vulncheck.com/blog/metro4shell_eitw Exploit Third Party Advisory

Sources

NIST National Vulnerability Database (NVD)

CISA Known Exploited Vulnerabilities (KEV)