DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-11953: React Native's Open Door Policy: The Anatomy of CVE-2025-11953

#security #cve #cybersecurity

React Native's Open Door Policy: The Anatomy of CVE-2025-11953

Vulnerability ID: CVE-2025-11953
CVSS Score: 9.8
Published: 2025-11-03

In the world of modern development, 'Developer Experience' (DX) is king. Tools are designed to be frictionless, magical, and zero-config. But sometimes, that magic involves binding a server to 0.0.0.0 and letting unauthenticated network traffic execute shell commands on your workstation. CVE-2025-11953 is a critical Remote Code Execution (RCE) vulnerability in the React Native CLI's Metro server that turns a developer's convenience into a hacker's playground.

TL;DR

A critical RCE in @react-native-community/cli (Metro Server) allows attackers on the same network to execute arbitrary commands on a developer's machine via the /open-url endpoint. The server fails to sanitize input before passing it to the OS shell.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-78 (OS Command Injection)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (AV:N)
  • EPSS Score: 0.405% (Rising)
  • Vulnerable Component: Metro Server Middleware (openURL)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • React Native Development Environments
  • Metro Bundler
  • Windows Workstations (Primary Target)
  • macOS/Linux Workstations (Secondary Target)
  • @react-native-community/cli: >= 4.8.0 < 20.0.0 (Fixed in: 20.0.0)

Code Analysis

Commit: 1508990

fix: sanitize url in openURLMiddleware to prevent command injection

+ const parsedUrl = new URL(url);
+ if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:')
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Python script demonstrating remote command execution on Windows targets.

Mitigation Strategies

  • Upgrade @react-native-community/cli to v20.0.0+
  • Restrict Metro server binding to localhost (127.0.0.1)
  • Implement host-based firewall rules to block port 8081 on public networks

Remediation Steps:

  1. Run npm outdated @react-native-community/cli to check your version.
  2. Update the package: npm install @react-native-community/cli@latest or yarn upgrade @react-native-community/cli.
  3. Verify the version is >= 20.0.0.
  4. Edit metro.config.js to set server.host = '127.0.0.1'.

References

Read the full report for CVE-2025-11953 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)