Main Vulnerability Database Exploits ID:12346 - Exploit for OS Command Injection in React Native Community CLI - CVE-2025-11953

ID:12346 - Exploit for OS Command Injection in React Native Community CLI - CVE-2025-11953

Published: February 3, 2026

Vulnerability identifier: #VU122262

Vulnerability risk: Critical

CVE-ID: CVE-2025-11953

CWE-ID: CWE-78

Exploitation vector: Remote access

Vulnerable software:
React Native Community CLI

Link to public exploit:

https://github.com/SaidBenaissa/cve-2025-11953-vulnerability-demo

Vulnerability description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the Metro Development Server at the "/open-url" endpoint. A remote unauthenticated attacker can send a specially crafted HTTP POST request to the affected endpoint and execute arbitrary OS commands on the target system.

On Windows installations the attackers can also fully control arguments when executing arbitrary OS commands.

Remediation

Install updates from vendor's website.