theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2025-11953

CISA KEV

Published February 5, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2025-11953: React Native Community CLI Command Injection **What it is:** React Native Community CLI's Metro Development Server exposes an endpoint that accepts POST requests without proper input validation, allowing attackers to inject and execute arbitrary OS commands on the host system. **Impact:** An unauthenticated attacker with network access to a development server can execute arbitrary binaries and shell commands with the privileges of the Node.js process. On Windows systems, attackers gain full control over command arguments, increasing exploitation flexibility. **What to do:** Immediately disable or restrict network access to Metro Development Server instances (typically port 8081). Update React Native Community CLI to a patched version when available. Do not expose development servers to untrusted networks. Review logs for POST requests to the vulnerable endpoint if your organization uses React Native CLI in development environments.

Official Description+

React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.

Affected Products

VendorProduct
React Native CommunityCLI

Patch Status

Patch by 2026-02-26

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2025-11953.

Related Coverage

Vvulnerability

CVE-2025-11953: React Native Community CLI Metro Server Exposes OS Command Injection to Unauthenticated Attackers

CVE-2025-11953 is an OS command injection vulnerability in the React Native Community CLI's Metro Development Server that allows unauthenticated network attackers to execute arbitrary binaries and shell commands by sending crafted POST requests to a vulnerable endpoint. Windows systems face elevated risk due to full shell command argument control. CISA has added the vulnerability to its KEV catalog with a federal patch deadline of 2026-02-26.

CISA KEV·57d ago·3 min read