← Voltar para CVEs
CVE-2025-11953
CRITICALCISA KEV9.8
Descricao
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado11/3/2025
Ultima modificacao2/6/2026
Fontekev
Avistamentos honeypot0
CISA KEV
FornecedorReact Native Community
ProdutoCLI
Nome da vulnerabilidadeReact Native Community CLI OS Command Injection Vulnerability
Data inclusao KEV2026-02-05
Prazo de remediacao2026-02-26
Uso em ransomwareUnknown
Produtos afetados
react-native-community:react_native_community_cli
Fraquezas (CWE)
CWE-78
Referencias
https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547(reefs@jfrog.com)
https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability(reefs@jfrog.com)
https://x.com/SzymonRybczak/status/1986199665000566848(af854a3a-2127-422b-91ae-364da2661108)
https://x.com/thymikee/status/1986770875954475375(af854a3a-2127-422b-91ae-364da2661108)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953(134c704f-9b21-4f2e-91b3-4a467353bcc0)
https://www.vulncheck.com/blog/metro4shell_eitw(134c704f-9b21-4f2e-91b3-4a467353bcc0)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.