#VU122262 OS Command Injection in React Native Community CLI - CVE-2025-11953
Published: February 3, 2026
Vulnerability identifier: #VU122262
Vulnerability risk: Critical
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-11953
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vulnerable software:
React Native Community CLI
React Native Community CLI
Software vendor:
React Native Community
React Native Community
Description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the Metro Development Server at the "/open-url" endpoint. A remote unauthenticated attacker can send a specially crafted HTTP POST request to the affected endpoint and execute arbitrary OS commands on the target system.
On Windows installations the attackers can also fully control arguments when executing arbitrary OS commands.
Remediation
Install updates from vendor's website.