Executive Summary

A critical OS command injection vulnerability, tracked as CVE-2025-11953 with a CVSS score of 9.8, has been identified in the React Native Community CLI’s Metro Development Server. This vulnerability exposes developer environments to unauthenticated remote code execution attacks. The flaw is present in all versions of the Metro Development Server prior to the security patch and is especially severe on Windows platforms, though macOS and Linux are also affected. The vulnerability is trivially exploitable, requires no authentication, and can be triggered remotely if the Metro server is accessible on the network. Public proof-of-concept exploits and technical analyses have been released, significantly increasing the risk of widespread exploitation. Immediate action is required to mitigate this threat, particularly for organizations with developer workstations or CI/CD environments utilizing React Native.

Technical Information

The vulnerability in question is an OS command injection (CWE-78) in the Metro Development Server, a core component of the React Native Community CLI. The server exposes a debugging endpoint, /open-stack-frame, which is designed to facilitate rapid navigation to source code locations in a developer’s editor. This endpoint accepts POST requests containing parameters such as file and lineNumber. The vulnerability arises from the server’s failure to properly sanitize these parameters before constructing a command line invocation for the configured editor.

On Windows, the server leverages Node.js’s child_process.spawn to launch the editor, passing the file and lineNumber as arguments. If an attacker supplies shell metacharacters in the lineNumber parameter, these are interpreted by cmd.exe, enabling arbitrary command execution. For example, a malicious request with a payload such as:

json { "file": "C:\\Windows\\system.ini", "lineNumber": "123\" && calc" }

would result in the server launching both the intended editor and the Windows calculator (calc.exe). This demonstrates the ability to execute arbitrary commands on the host system.

On macOS and Linux, the risk profile is slightly different. Arguments are passed directly to the editor binary, so exploitation depends on the specific editor’s argument parsing. However, the lack of input validation still presents a significant risk, especially if the editor or its plugins are susceptible to command injection or if the attacker can leverage other vectors.

The root causes of this vulnerability are insufficient input validation, insecure command construction, and the default network exposure of the Metro server, which binds to all interfaces and is accessible on port 8081. Critically, no authentication is required to exploit this flaw if the attacker can reach the Metro server’s port.

The vulnerability affects all versions of the React Native Community CLI prior to commit 15089907d1f1301b22c72d7f68846a2ef20df547. The issue is most severe on Windows due to the way command arguments are handled, but all platforms are at risk.

Exploitation in the Wild

Public proof-of-concept exploits and technical write-ups have confirmed that exploitation is possible on all major platforms. Security researchers have demonstrated successful attacks on Windows, macOS, and Linux developer environments. The threat context is particularly acute for developers running the Metro server with default settings on shared, public, or otherwise untrusted networks, as this exposes the vulnerable endpoint to remote attackers.

As of the time of this report, there have been no confirmed mass exploitation campaigns or targeted attacks attributed to this vulnerability. However, the availability of public PoCs, combined with the ease of exploitation and the prevalence of React Native in the mobile development ecosystem, makes widespread attacks highly likely. Organizations should assume that unpatched systems are at imminent risk, especially in environments where network segmentation is weak or where developer workstations are exposed to the internet or large internal networks.

APT Groups using this vulnerability

No specific advanced persistent threat (APT) group has been publicly linked to exploitation of CVE-2025-11953 as of this report. Open-source intelligence and MITRE ATT&CK mappings indicate that the techniques enabled by this vulnerability—specifically, command and scripting interpreter abuse (T1059.003) and exploitation of public-facing applications (T1190)—are commonly used by a wide range of threat actors, including both financially motivated cybercriminals and state-sponsored groups. The lack of authentication and the ubiquity of the React Native Community CLI in developer environments make this vulnerability an attractive target for both opportunistic and targeted attacks. Given the rapid weaponization of similar vulnerabilities in the past, it is highly probable that APT groups and other sophisticated actors will incorporate this exploit into their toolchains if they have not already done so.

Affected Product Versions

All versions of the React Native Community CLI prior to commit 15089907d1f1301b22c72d7f68846a2ef20df547 are affected. This includes, but is not limited to, versions v1.0.0 through v20.0.1. The vulnerability is fixed in v20.0.2 and later. Any deployment of the Metro Development Server using a version of the CLI released before v20.0.2 is vulnerable to this attack. The risk is present across all supported operating systems, with Windows being the most susceptible due to the nature of command argument parsing in cmd.exe.

Workaround and Mitigation

The primary mitigation is to upgrade the React Native Community CLI to v20.0.2 or later, which incorporates the official patch for CVE-2025-11953. Organizations should ensure that all developer workstations, CI/CD pipelines, and build servers are running the patched version. In addition to upgrading, it is critical to restrict network access to the Metro server. The server should never be exposed to untrusted networks or the public internet. Network segmentation, host-based firewalls, and VPN access controls should be used to limit access to trusted users and systems only.

Administrators should audit logs for suspicious POST requests to the /open-stack-frame endpoint, particularly those containing unusual or malformed lineNumber or file parameters. Any unexpected process launches originating from the Metro server, such as calc.exe, cmd.exe, or non-standard editors, should be investigated as potential indicators of compromise. Developer environments, especially on Windows, should be reviewed for signs of unauthorized access or lateral movement.

As a defense-in-depth measure, organizations should consider implementing application whitelisting, endpoint detection and response (EDR) solutions, and regular vulnerability scanning of developer environments. Security awareness training for developers regarding the risks of exposing development tools to untrusted networks is also recommended.

References

ZeroPath Technical Analysis: https://zeropath.com/blog/cve-2025-11953-react-native-metro-cli-os-command-injection NVD Entry for CVE-2025-11953: https://nvd.nist.gov/vuln/detail/CVE-2025-11953 GitHub Advisory: https://github.com/advisories/GHSA-399j-vxmf-hjvr JFrog Blog Post: https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/ Official Patch Commit: https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547 CWE-78: OS Command Injection: https://cwe.mitre.org/data/definitions/78.html React Native Community CLI Releases: https://github.com/react-native-community/cli/releases

Rescana is here for you

At Rescana, we understand that the security of your development environments is critical to your business. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and manage the security posture of their software supply chain and development tools. While this advisory focuses on a specific vulnerability in the React Native Community CLI, our platform is designed to help you identify, prioritize, and remediate risks across your entire ecosystem. If you have any questions about this advisory or need assistance with incident response, our team of cybersecurity experts is ready to help. Please contact us at ops@rescana.com.