OS Command Injection in React Native Community CLI - CVE-2025-11953
Published: February 3, 2026
Vulnerability identifier: #VU122262
CSH Severity: Critical
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red
CVE-ID: CVE-2025-11953
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: React Native Community
Affected software:
React Native Community CLI
React Native Community CLI
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation within the Metro Development Server at the "/open-url" endpoint. A remote unauthenticated attacker can send a specially crafted HTTP POST request to the affected endpoint and execute arbitrary OS commands on the target system.
On Windows installations the attackers can also fully control arguments when executing arbitrary OS commands.
How to mitigate CVE-2025-11953
Install updates from vendor's website.