← Zuruck zu CVEs

CVE-2025-11953

CRITICALCISA KEV

9.8

Beschreibung

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

CVE Details

CVSS v3.1 Bewertung9.8

SchweregradCRITICAL

CVSS VektorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AngriffsvektorNETWORK

KomplexitatLOW

Erforderliche PrivilegienNONE

BenutzerinteraktionNONE

Veroffentlicht11/3/2025

Zuletzt geandert2/6/2026

Quellekev

Honeypot-Sichtungen0

CISA KEV

HerstellerReact Native Community

ProduktCLI

SchwachstellennameReact Native Community CLI OS Command Injection Vulnerability

KEV Aufnahmedatum2026-02-05

Behebungsfrist2026-02-26

Ransomware-NutzungUnknown

Betroffene Produkte

react-native-community:react_native_community_cli

Schwachen (CWE)

CWE-78

Referenzen

https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547(reefs@jfrog.com)

https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability(reefs@jfrog.com)

https://x.com/SzymonRybczak/status/1986199665000566848(af854a3a-2127-422b-91ae-364da2661108)

https://x.com/thymikee/status/1986770875954475375(af854a3a-2127-422b-91ae-364da2661108)

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953(134c704f-9b21-4f2e-91b3-4a467353bcc0)

https://www.vulncheck.com/blog/metro4shell_eitw(134c704f-9b21-4f2e-91b3-4a467353bcc0)

IOC Korrelationen

Keine Korrelationen erfasst

This product uses data from the NVD API but is not endorsed or certified by the NVD.