CVE-2025-11953: React Native Community CLI Metro Server Exposes OS Command Injection to Unauthenticated Attackers

CVE ID: CVE-2025-11953 Vendor: React Native Community Product: React Native Community CLI (Metro Development Server) Attack Vector: Network (unauthenticated) Vulnerability Type: OS Command Injection (CWE-78) CISA KEV Patch Deadline: 2026-02-26

Vulnerability Overview

CVE-2025-11953 is an OS command injection vulnerability in the React Native Community CLI. The flaw resides in the Metro Development Server, a local HTTP server that React Native CLI spins up during development to bundle JavaScript and communicate with connected devices or emulators.

Metro exposes an HTTP endpoint that accepts POST requests. Due to insufficient input validation, an unauthenticated attacker with network access to the server can craft POST requests that cause the server to execute arbitrary binaries on the underlying host operating system. The Node.js process running Metro performs no meaningful sanitization of attacker-supplied input before passing it to OS-level execution calls.

On Windows systems, the vulnerability's impact is broader. Attackers can execute arbitrary shell commands with fully controlled arguments, not just invoke binaries. This distinction matters operationally: Windows exploitation provides greater flexibility for follow-on activity including payload staging, lateral movement, and persistence mechanisms.

Technical Details

Metro Development Server typically listens on TCP port 8081. In standard development configurations, this port binds to all interfaces or is accessible over a local network, particularly in shared office environments, CI/CD pipelines, or developer machines connected to corporate networks.

The injection point is a POST endpoint that processes structured input without enforcing strict allowlists or sanitizing shell metacharacters. The server passes attacker-controlled data directly into an execution context, triggering command injection. The executing process inherits the privileges of the Node.js runtime, which on many developer workstations runs with user-level or elevated privileges.

The unauthenticated nature of the attack vector is a critical factor. Metro does not require authentication for local or network-adjacent requests by default. Any host that can reach port 8081 can send a malicious POST request and trigger execution without credentials or prior access.

Real-World Impact

Organizations that use React Native CLI in development pipelines are directly exposed if Metro Development Server instances are reachable from untrusted or shared network segments. This includes:

  • Developer workstations on open office or guest Wi-Fi networks
  • CI/CD build agents running React Native builds where Metro is started as part of the pipeline
  • Remote development environments where port forwarding or cloud-hosted dev boxes expose Metro to broader network ranges

Successful exploitation allows an attacker to execute arbitrary code with the privileges of the developer's Node.js process. Depending on the environment, this translates to data exfiltration, installation of malware, access to source code repositories, credential theft from environment variables, or pivoting to other internal systems.

Windows-based development environments face elevated risk. Full shell command control with arbitrary arguments enables techniques such as PowerShell-based payload delivery, registry modification, and scheduled task creation — all achievable in a single exploitation step.

CISA has added CVE-2025-11953 to the Known Exploited Vulnerabilities (KEV) catalog and mandated that federal agencies apply patches by 2026-02-26. Federal civilian executive branch (FCEB) agencies must treat this as an active remediation priority.

Affected Versions

The vulnerability affects React Native Community CLI versions that include the vulnerable Metro Development Server endpoint. Organizations should cross-reference their installed CLI version against the official React Native Community advisory and changelog for confirmed affected version ranges.

Patching and Mitigation Guidance

1. Update React Native Community CLI Apply the patched version of React Native Community CLI as soon as it is available. Monitor the React Native Community CLI GitHub repository and the official advisory for confirmed fixed versions. Pin your CLI version in package.json and enforce the update across all developer environments and CI agents.

2. Restrict Network Access to Metro Until a patch is applied, block inbound access to TCP port 8081 at the host firewall and network perimeter. Metro should only be reachable from localhost (127.0.0.1) unless explicitly required for device testing over a trusted local network.

3. Avoid Exposing Metro to Untrusted Networks Do not run Metro Development Server on networks where untrusted hosts are present. This includes public Wi-Fi, guest networks, and any environment where network adjacency cannot be guaranteed. Use VPNs or network segmentation if device-based testing requires Metro to be reachable from mobile hardware.

4. Audit Logs for Exploit Attempts Review HTTP server logs for unexpected POST requests to Metro endpoints, particularly from non-localhost source addresses. Flag any anomalous POST activity to the Metro server for investigation. If Metro is deployed in CI/CD pipelines, review pipeline logs for unexpected process execution events originating from the Node.js process.

5. Apply CISA KEV Deadline Federal agencies must remediate by 2026-02-26 per CISA's KEV catalog directive. Non-federal organizations should treat this deadline as a benchmark and prioritize remediation within their own patching SLAs based on network exposure and development environment risk.