Listen to this Post
The vulnerability stems from the Metro development server, started via the React Native Community CLI, binding to all network interfaces (0.0.0.0) by default instead of only localhost, contrary to the console message . This exposes an endpoint, /open-url, which is vulnerable to OS command injection . An unauthenticated attacker on the same network can send a crafted POST request to this endpoint. The server passes the `url` parameter from this request directly to the `open()` function from the `open` npm package. On Windows, this unsafe function call can be exploited to spawn `cmd /c` with attacker-controlled arguments, allowing arbitrary command execution. On other platforms, while the direct execution path is less straightforward, the risk of remote code execution remains a significant threat . The vulnerability is present in `@react-native-community/cli` and `cli-server-api` versions from 4.8.0 up to, but not including, the patched versions .
Platform: React Native
Version: <18.0.1,<19.1.2,<20.0.0
Vulnerability :OS command injection
Severity: Critical
date: 2025-11-03
Prediction: Patch immediately
What Undercode Say:
Analytics
- Vulnerability Detection (npm):
npm list @react-native-community/cli npm list @react-native-community/cli-server-api
- Check Listening Ports:
Linux/macOS netstat -an | grep 8081 Windows netstat -an | findstr 8081
Exploit:
- Basic Curl Command (Conceptual):
This POST request attempts to pass a malicious command via the 'url' parameter. On Windows, this could potentially execute calc.exe curl -X POST http://<victim-ip>:8081/open-url -d "url=file:///C:/Windows/System32/cmd.exe?/c+calc.exe"
Note: Public Proof of Concept repositories are available for CVE-2025-11953 .
Protection
- Immediate Update:
npm update @react-native-community/cli npm update @react-native-community/cli-server-api
- Mitigation (If update not possible):
Start the server explicitly bound to localhost to prevent external access.npx react-native start --host 127.0.0.1
- Network Segmentation: Ensure development servers are not exposed on untrusted networks.
Impact
Successful exploitation allows an unauthenticated, network-adjacent attacker to achieve remote code execution on the developer’s machine . This can lead to source code theft, injection of malicious code into application builds, credential harvesting, and pivoting to internal networks, posing a critical supply chain risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

