Tools: CVE-2025-11953: React Native's Open Door Policy: The Anatomy of CVE-2025-11953

React Native's Open Door Policy: The Anatomy of CVE-2025-11953 ## ⚠️ Exploit Status: POC ## Technical Details ## Affected Systems ## Code Analysis ## Commit: 1508990 ## Exploit Details ## Mitigation Strategies ## References Vulnerability ID: CVE-2025-11953 CVSS Score: 9.8 Published: 2025-11-03 In the world of modern development, 'Developer Experience' (DX) is king. Tools are designed to be frictionless, magical, and zero-config. But sometimes, that magic involves binding a server to 0.0.0.0 and letting unauthenticated network traffic execute shell commands on your workstation. CVE-2025-11953 is a critical Remote Code Execution (RCE) vulnerability in the React Native CLI's Metro server that turns a developer's convenience into a hacker's playground. A critical RCE in @react-native-community/cli (Metro Server) allows attackers on the same network to execute arbitrary commands on a developer's machine via the /open-url endpoint. The server fails to sanitize input before passing it to the OS shell. fix: sanitize url in openURLMiddleware to prevent command injection Read the full report for CVE-2025-11953 on our website for more details including interactive diagrams and full exploit analysis. Templates let you quickly answer FAQs or store snippets for re-use. Are you sure you want to ? It will become hidden in your post, but will still be visible via the comment's permalink. as well , this person and/or CODE_BLOCK: + const parsedUrl = new URL(url); + if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') CODE_BLOCK: + const parsedUrl = new URL(url); + if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') CODE_BLOCK: + const parsedUrl = new URL(url); + if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') - CWE ID: CWE-78 (OS Command Injection) - CVSS v3.1: 9.8 (Critical) - Attack Vector: Network (AV:N) - EPSS Score: 0.405% (Rising) - Vulnerable Component: Metro Server Middleware (openURL) - Exploit Status: Proof of Concept Available - React Native Development Environments - Metro Bundler - Windows Workstations (Primary Target) - macOS/Linux Workstations (Secondary Target) - @react-native-community/cli: >= 4.8.0 < 20.0.0 (Fixed in: 20.0.0) - GitHub: Python script demonstrating remote command execution on Windows targets. - Upgrade @react-native-community/cli to v20.0.0+ - Restrict Metro server binding to localhost (127.0.0.1) - Implement host-based firewall rules to block port 8081 on public networks - Run npm outdated @react-native-community/cli to check your version. - Update the package: npm install @react-native-community/cli@latest or yarn upgrade @react-native-community/cli. - Verify the version is >= 20.0.0. - Edit metro.config.js to set server.host = '127.0.0.1'. - JFrog Security Analysis - ZeroPath Technical Report