CVE-2025-11953

CRITICAL KEV

react-native-community/cli < 20.0.0 - Unauthenticated OS Command Injection via Metro Development Server

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-11953 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added February 5, 2026. EIP tracks 5 public exploits from researchers including SaidBenaissa, N3k0t-dev, boroeurnprach.

AI-analyzed exploit summary This repository contains functional exploit code demonstrating CVE-2025-11953, a command injection vulnerability in React Native CLI's Metro Development Server. The PoC includes scripts for various attack scenarios (Windows, PowerShell, Unix) targeting the `/open-url` endpoint.

Description

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Exploits (5)

github WORKING POC 4 stars
by SaidBenaissa · powershellremote
https://github.com/SaidBenaissa/cve-2025-11953-vulnerability-demo

This repository contains functional exploit code demonstrating CVE-2025-11953, a command injection vulnerability in React Native CLI's Metro Development Server. The PoC includes scripts for various attack scenarios (Windows, PowerShell, Unix) targeting the `/open-url` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: @react-native-community/cli-server-api versions [4.8.0, 20.0.0)
No auth needed
Prerequisites: Network access to vulnerable Metro server · Server running on default port (8082)
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by N3k0t-dev · remote
https://github.com/N3k0t-dev/PoC-CVE-collection

This repository contains a functional exploit for CVE-2025-11953, a critical command injection vulnerability in React Native Community CLI Metro Development Server. The exploit includes both basic and advanced payloads for achieving remote code execution on Windows, Linux, and macOS systems.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: react-native-community/cli-server-api versions 4.8.0 to 20.0.0-alpha.2
No auth needed
Prerequisites: Access to the Metro Development Server on port 8081 · Network connectivity to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by boroeurnprach · remote-auth
https://github.com/boroeurnprach/CVE-2025-11953-PoC

This repository contains a working PoC for CVE-2025-11953, demonstrating an OS command injection vulnerability in the Metro Development Server used by React Native Community CLI. The exploit leverages a vulnerable endpoint to execute arbitrary commands, such as launching 'calc.exe' on Windows.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: @react-native-community/cli (versions 4.8.0 - 20.0.0-alpha.2)
No auth needed
Prerequisites: Network access to the vulnerable Metro Development Server · Server running on default or exposed interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Mr-In4inci3le · remote
https://github.com/Mr-In4inci3le/CVE-2025-11953-POC-

This repository contains a functional proof-of-concept for CVE-2025-11953, demonstrating an OS command injection vulnerability in React Native CLI's Metro development server via the `/open-url` endpoint. The code includes vulnerable server implementations and exploit tests for research purposes.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: @react-native-community/cli-server-api v4.8.0 – v20.0.0-alpha.2
No auth needed
Prerequisites: Node.js environment · Windows/Unix-based system · Network access to vulnerable server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by GhoStZA-debug · poc
https://github.com/GhoStZA-debug/PoC-CVE-collection

This repository contains a functional exploit for CVE-2025-11953, a critical OS command injection vulnerability in React Native Community CLI Metro Development Server. The exploit includes both basic and advanced payloads, demonstrating arbitrary command execution via the unsanitized `open-url` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: react-native-community/cli-server-api (4.8.0 - 20.0.0-alpha.2)
No auth needed
Prerequisites: Metro server running on port 8081 · Network access to the target
devstral-2 · analyzed Mar 07, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 9.8
EPSS 0.3262
EPSS Percentile 97.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-02-05
VulnCheck KEV 2025-12-21
ENISA EUVD EUVD-2025-37505
CWE
CWE-78
Status published
Products (5)
react-native-community/cli 20.0.0-alpha.0 - 20.0.0npm
react-native-community/cli-server-api 20.0.0-alpha.0 - 20.0.0npm
react-native-community/react_native_community_cli 18.0.0
react-native-community/react_native_community_cli 20.0.0 alpha0 (3 CPE variants)
react-native-community/react_native_community_cli 19.0.0 - 19.1.2
Published Nov 03, 2025
KEV Added Feb 05, 2026
Tracked Since Feb 18, 2026