CVE-2025-11953CRITICAL 9.8CISA KEVEPSS p99.1%

CVE-2025-11953React Native Community CLI OS Command Injection Vulnerability

React Native Community / CLI

Description

React Native Community CLI contains an OS command injection vulnerability which could allow unauthenticated network attackers to send POST requests to the Metro Development Server and run arbitrary executables via a vulnerable endpoint exposed by the server. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS61.94% probability of exploitation · percentile 99.1% · 2026-06-18T12:00:27Z
Published2025-11-03
Last modified2026-02-06

CISA KEV entry

Added to KEV: 2026-02-05

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547
  2. https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability
  3. https://x.com/SzymonRybczak/status/1986199665000566848
  4. https://x.com/thymikee/status/1986770875954475375
  5. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953
  6. https://www.vulncheck.com/blog/metro4shell_eitw

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

(incoming)1

TypeTargetConfidenceTier
KEVEntryReact Native Community CLI OS Command Injection Vulnerabilitykev-cve-2025-119530%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Meta React Server Components Remote Code Execution Vulnerability
CVE
CVE-2025-9976
CVE
CVE-2025-63706
CVE
CVE-2026-21257
CVE
CVE-2026-21256
CVE
CVE-2025-10589
Sourced from NVD + CISA KEV + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.