CVE-2025-11953 Overview
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection (CWE-78). This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Critical Impact
This vulnerability enables unauthenticated remote code execution through OS command injection, allowing attackers to compromise development environments and potentially gain full system access. CISA has added this vulnerability to their Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
Affected Products
- React Native Community CLI (all versions prior to patch)
- React Native Community CLI version 18.0.0
- React Native Community CLI version 20.0.0-alpha0, 20.0.0-alpha1, 20.0.0-alpha2
Discovery Timeline
- 2025-11-03 - CVE-2025-11953 published to NVD
- 2026-02-06 - Last updated in NVD database
Technical Details for CVE-2025-11953
Vulnerability Analysis
This vulnerability affects the Metro Development Server component of the React Native Community CLI. The core issue lies in insufficient URL validation in the openURLMiddleware.ts endpoint. When the Metro server starts, it binds to external network interfaces by default rather than localhost only, exposing the vulnerable endpoint to network-accessible attackers.
The openURLMiddleware accepts URL parameters from POST requests without proper protocol validation, allowing attackers to inject malicious payloads that are passed to the system's open command. This design flaw enables unauthenticated command injection attacks from any network-reachable attacker.
Root Cause
The root cause is improper input validation (CWE-78: OS Command Injection) in the URL handling middleware. The vulnerable code path accepts arbitrary URL schemes and passes them directly to the open() function without validating the protocol. This allows attackers to craft malicious URLs with unexpected protocols or command injection payloads that are then executed by the underlying operating system.
Attack Vector
Attackers can exploit this vulnerability by sending crafted POST requests to the Metro Development Server's open URL endpoint. Since the server binds to external interfaces by default, any unauthenticated user on the same network can reach the vulnerable endpoint. The attack is particularly severe on Windows systems where attackers can execute arbitrary shell commands with fully controlled arguments, enabling complete system compromise.
// Security patch in packages/cli-server-api/src/openURLMiddleware.ts
// Source: https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
const {url} = req.body as {url: string};
+ try {
+ const parsedUrl = new URL(url);
+ if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+ res.writeHead(400);
+ res.end('Invalid URL protocol');
+ return;
+ }
+ } catch (error) {
+ res.writeHead(400);
+ res.end('Invalid URL format');
+ return;
+ }
+
await open(url);
res.writeHead(200);
The patch adds strict URL validation to ensure only http: and https: protocols are accepted, preventing command injection through malicious URL schemes.
Detection Methods for CVE-2025-11953
Indicators of Compromise
- Unexpected POST requests to Metro Development Server endpoints (typically port 8081)
- Unusual process spawning from Metro server or Node.js processes
- Network connections to development servers from external IP addresses
- System command execution logs showing suspicious open command invocations
Detection Strategies
- Monitor network traffic for POST requests to Metro server endpoints from non-localhost sources
- Implement network segmentation to isolate development environments from untrusted networks
- Review system process trees for unexpected child processes spawned by Metro/Node.js
- Configure host-based intrusion detection to alert on command injection patterns
Monitoring Recommendations
- Enable logging on Metro Development Server instances to capture incoming requests
- Deploy network monitoring to detect external access attempts to port 8081 (default Metro port)
- Implement endpoint detection and response (EDR) solutions to monitor for suspicious process chains
- Review firewall logs for connections to development server ports from external networks
How to Mitigate CVE-2025-11953
Immediate Actions Required
- Update React Native Community CLI to a patched version immediately
- Configure Metro Development Server to bind only to localhost (127.0.0.1) instead of all interfaces
- Implement network-level access controls to restrict access to development servers
- Audit systems for signs of compromise if development servers were exposed to untrusted networks
Patch Information
React Native Community has released a security patch that adds stricter URL validation to the openURLMiddleware. The fix validates that only http: and https: protocols are accepted before passing URLs to the system's open command. The patch is available in commit 15089907d1f1301b22c72d7f68846a2ef20df547.
Organizations should update their React Native Community CLI installations to incorporate this security fix. Additional technical analysis is available from JFrog's security research blog and VulnCheck's analysis.
Workarounds
- Configure Metro to bind to localhost only by modifying the server configuration
- Use firewall rules to block external access to Metro Development Server ports (default 8081)
- Run development servers within isolated network segments or VPNs
- Consider using containerized development environments with network isolation
# Configuration example - Bind Metro server to localhost only
# In metro.config.js or via CLI arguments
npx react-native start --host 127.0.0.1
# Alternatively, configure firewall to block external access to port 8081
# Linux (iptables)
iptables -A INPUT -p tcp --dport 8081 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8081 -j DROP
# Windows (PowerShell)
New-NetFirewallRule -DisplayName "Block Metro External" -Direction Inbound -LocalPort 8081 -Protocol TCP -RemoteAddress "!127.0.0.1" -Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
