{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11953", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "state": "PUBLISHED", "assignerShortName": "JFROG", "dateReserved": "2025-10-20T10:34:44.694Z", "datePublished": "2025-11-03T16:35:07.168Z", "dateUpdated": "2025-11-11T17:06:16.919Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.npmjs.com", "defaultStatus": "unaffected", "packageName": "@react-native-community/cli-server-api", "versions": [{"lessThan": "20.0.0", "status": "affected", "version": "4.8.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.</p>"}], "value": "The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2025-11-03T19:10:09.928Z"}, "references": [{"tags": ["technical-description"], "url": "https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability"}, {"tags": ["patch"], "url": "https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547"}], "source": {"discovery": "EXTERNAL"}, "title": "Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-03T20:49:27.565497Z", "id": "CVE-2025-11953", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T20:49:36.194Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-11T17:06:16.919Z"}, "references": [{"url": "https://x.com/SzymonRybczak/status/1986199665000566848"}, {"url": "https://x.com/thymikee/status/1986770875954475375"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://x.com/SzymonRybczak/status/1986199665000566848"}, {"url": "https://x.com/thymikee/status/1986770875954475375"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-11T17:06:16.919Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11953", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-03T20:49:27.565497Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-03T20:49:31.570Z"}}], "cna": {"title": "Command injection in React Native Community CLI allows remote attackers to perform remote code execution by sending HTTP requests", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"versions": [{"status": "affected", "version": "4.8.0", "lessThan": "20.0.0", "versionType": "semver"}], "packageName": "@react-native-community/cli-server-api", "collectionURL": "https://www.npmjs.com", "defaultStatus": "unaffected"}], "references": [{"url": "https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability", "tags": ["technical-description"]}, {"url": "https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.", "supportingMedia": [{"type": "text/html", "value": "<p>The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2025-11-03T19:10:09.928Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11953", "state": "PUBLISHED", "dateUpdated": "2025-11-11T17:06:16.919Z", "dateReserved": "2025-10-20T10:34:44.694Z", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "datePublished": "2025-11-03T16:35:07.168Z", "assignerShortName": "JFROG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments."}], "id": "CVE-2025-11953", "lastModified": "2025-11-11T17:15:38.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "reefs@jfrog.com", "type": "Secondary"}]}, "published": "2025-11-03T17:15:32.677", "references": [{"source": "reefs@jfrog.com", "url": "https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547"}, {"source": "reefs@jfrog.com", "url": "https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://x.com/SzymonRybczak/status/1986199665000566848"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://x.com/thymikee/status/1986770875954475375"}], "sourceIdentifier": "reefs@jfrog.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "reefs@jfrog.com", "type": "Secondary"}]}

{"bugzilla": {"description": "@react-native-community/cli-server-api: Command injection in React Native CLI", "id": "2412025", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2412025"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-11953", "public_date": "2025-11-03T16:35:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-11953\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-11953\nhttps://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547\nhttps://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability"], "statement": "The complexity of exploitation on Linux is significantly higher than on Windows as the attacker may only trigger executable which have been pre-installed and which are accessible to the affected program.", "threat_severity": "Important"}

{"created": "2025-11-04T16:34:50.101508+00:00", "updated": "2025-11-04T16:34:50.101534+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$windows", "react-native-community", "react-native-community$PRODUCT$cli"]}