Critical React Native CLI Flaw (CVE-2025-11953, CVSS 9.8) Allows Unauthenticated RCE via Exposed Metro Server
Ddos 
A newly disclosed critical vulnerability (CVE-2025-11953, CVSS 9.8) in the React Native Community CLI exposes developers to remote code execution (RCE) attacks via the Metro development server, which binds to external interfaces by default. The flaw affects versions from 4.8.0 before 20.0.0 and impacts an ecosystem with over 1.7 million weekly downloads.
According to the CVE record, “The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection.” This means that when developers start a local React Native project using the CLI, the internal Metro server—intended only for local use—may also become accessible from external networks.
An unauthenticated attacker on the same network (or anyone able to reach the developer’s machine over the network) can exploit the exposed endpoint to send crafted POST requests and execute arbitrary commands on the host operating system.
“This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.”
On Windows systems, this can escalate to arbitrary PowerShell or CMD command execution, enabling attackers to install malware, extract credentials, or pivot deeper into the developer’s environment.
The affected versions
- Affected: All versions from 4.8.0 before 20.0.0
- Fixed Version: 20.0.0 and later
Given the wide adoption of the React Native CLI across cross-platform mobile app developers, the exposure surface is massive. Development machines often have trusted credentials, SSH keys, and access tokens—making this flaw particularly dangerous.
Donate