Critical Remote Code Execution Vulnerability in React Native Community CLI (CVE-2025-11953)

ISGroup Cybersecurity

CVE-2025-11953 is a critical Remote Code Execution (RCE) vulnerability affecting the widely used React Native Community CLI, specifically the @react-native-community/cli-server-api package in versions 4.8.0 through 20.0.0-alpha.2. This package, maintained by Meta and downloaded 1.5 to 2 million times per week, allows developers to build React Native mobile applications.

The vulnerability stems from an OS command injection flaw in the Metro Development Server, which binds to external interfaces by default rather than localhost. An unauthenticated attacker on the same network can exploit this flaw to execute arbitrary OS commands on the computers of developers running vulnerable versions of the CLI.

With a CVSS score of 9.8 (Critical) and high ease of exploitation without authentication, this vulnerability poses a significant risk to the entire React Native developer ecosystem. Organizations must prioritize applying the patch immediately to prevent potential supply chain compromises and the takeover of developer machines.

Productcom.facebook.react.packagerconnection
Date2025-11-06 10:50:36
Information
  • Trending

Technical Summary

The vulnerability is located in the /open-url endpoint of the Metro Development Server, which handles POST requests without proper input validation. The endpoint accepts user-provided input and passes it directly to the insecure open() function provided by the open NPM package, resulting in OS command execution.

Vulnerable code flow:

  1. The Metro server binds by default to external network interfaces (0.0.0.0) instead of limiting itself to localhost (127.0.0.1)
  2. The server exposes the /open-url endpoint which accepts POST requests
  3. User-controlled input from the POST request body is passed without sanitization to the open() function
  4. The open() function executes system commands to open URLs/files, but can be manipulated to execute arbitrary commands

Exploitation characteristics:

  • Windows systems: attackers gain full OS command execution with complete control over command arguments, allowing the execution of arbitrary shell commands such as cmd.exe /c malicious-command
  • Linux/macOS systems: attackers can launch arbitrary executables with limited control over parameters (though further research may allow for full command execution)

Attack vector example:

An attacker on the same network can send a malicious POST request to the exposed Metro server:

POST http://<target-ip>:8081/open-url
Content-Type: application/json

{
  "url": "malicious-payload-here"
}

The vulnerability is particularly dangerous because:

  • No authentication required – any network attacker can exploit it
  • Vulnerable default configuration – developers are exposed out of the box when they run react-native start
  • Accessible from the network – not limited to local exploits; attackers on the same WiFi, VPN, or corporate network can attack
  • Targeting developers – compromising developer machines can lead to supply chain attacks affecting downstream applications

Recommendations

The fix (version 20.0.0) resolves the vulnerability by properly validating and sanitizing input before passing it to the open() function, thus preventing command injection.

Apply the patch immediately

Update the @react-native-community/cli-server-api package to version 20.0.0 or higher in all React Native projects. This can be done by:

  • Updating @react-native-community/cli to version 20.0.0 or later (which includes the patched version of cli-server-api)
  • Running npm update @react-native-community/cli-server-api or yarn upgrade @react-native-community/cli-server-api in each project directory
  • Verifying the update with npm ls @react-native-community/cli-server-api

Implement network binding restrictions

If you cannot apply the patch immediately, configure the Metro Development Server to explicitly bind to localhost by doing the following:

  • Modify the server configuration to listen only on 127.0.0.1 instead of 0.0.0.0
  • Use firewall rules to block external access to port 8081 (Metro’s default port)
  • Run development servers behind a VPN or isolated network segments

Research and monitoring

Initiate immediate security assessments:

  • Analyze network logs for suspicious POST requests to /open-url endpoints on port 8081
  • Examine developer machines for signs of compromise, including the execution of unexpected processes
  • Verify unauthorized access attempts from external IP addresses to development servers
  • Monitor unusual outbound connections from developer machines that could indicate command-and-control activity

Apply defense in depth

Implement additional security layers:

  • Network segmentation: isolate development environments from production networks
  • Intrusion Detection Systems (IDS): configure alerts for command injection patterns targeting Metro servers
  • Endpoint Detection and Response (EDR) solutions: deploy EDR solutions on developer machines to detect malicious process execution
  • Supply chain scanning: implement automated dependency scanning to identify vulnerable packages before deployment
  • Principle of least privilege: ensure developer accounts do not have unnecessary administrative privileges that could amplify the impact of a compromise

Verify your exposure

Not all React Native developers are vulnerable:

  • The vulnerability only exists if you use Metro as a development server – developers using alternative frameworks that do not rely on Metro are not affected
  • Check if your development workflow actively uses react-native start or the Metro bundler
  • Check if vulnerable versions of the package are actually in use in your dependency tree

[Callforaction-THREAT-Footer]