Tools: CVE-2025-11953: React Native's Open Door Policy: The Anatomy of CVE-2025-11953

React Native's Open Door Policy: The Anatomy of CVE-2025-11953 ## ⚠️ Exploit Status: POC ## Technical Details ## Affected Systems ## Code Analysis ## Commit: 1508990 ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: CVE-2025-11953 CVSS Score: 9.8 Published: 2025-11-03 In the world of modern development, 'Developer Experience' (DX) is king. Tools are designed to be frictionless, magical, and zero-config. But sometimes, that magic involves binding a server to 0.0.0.0 and letting unauthenticated network traffic execute shell commands on your workstation. CVE-2025-11953 is a critical Remote Code Execution (RCE) vulnerability in the React Native CLI's Metro server that turns a developer's convenience into a hacker's playground. A critical RCE in @react-native-community/cli (Metro Server) allows attackers on the same network to execute arbitrary commands on a developer's machine via the /open-url endpoint. The server fails to sanitize input before passing it to the OS shell. fix: sanitize url in openURLMiddleware to prevent command injection Read the full report for CVE-2025-11953 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse CODE_BLOCK: + const parsedUrl = new URL(url); + if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') Enter fullscreen mode Exit fullscreen mode CODE_BLOCK: + const parsedUrl = new URL(url); + if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') CODE_BLOCK: + const parsedUrl = new URL(url); + if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') - CWE ID: CWE-78 (OS Command Injection) - CVSS v3.1: 9.8 (Critical) - Attack Vector: Network (AV:N) - EPSS Score: 0.405% (Rising) - Vulnerable Component: Metro Server Middleware (openURL) - Exploit Status: Proof of Concept Available - React Native Development Environments - Metro Bundler - Windows Workstations (Primary Target) - macOS/Linux Workstations (Secondary Target) - @react-native-community/cli: >= 4.8.0 < 20.0.0 (Fixed in: 20.0.0) - GitHub: Python script demonstrating remote command execution on Windows targets. - Upgrade @react-native-community/cli to v20.0.0+ - Restrict Metro server binding to localhost (127.0.0.1) - Implement host-based firewall rules to block port 8081 on public networks - Run npm outdated @react-native-community/cli to check your version. - Update the package: npm install @react-native-community/cli@latest or yarn upgrade @react-native-community/cli. - Verify the version is >= 20.0.0. - Edit metro.config.js to set server.host = '127.0.0.1'. - JFrog Security Analysis - ZeroPath Technical Report