9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-11953

GHSA ID

GHSA-399j-vxmf-hjvr

EPSS Score

0.50427%

CWE

CWE-78

Published

11/3/2025

Updated

11/6/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-11953

CVE-2025-11953: @react-native-community/cli has arbitrary OS command injection

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-11953

CVE-2025-11953:

9.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-11953

GHSA ID

GHSA-399j-vxmf-hjvr

EPSS Score

0.50427%

CWE

CWE-78

Published

11/3/2025

Updated

11/6/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@react-native-community/cli	npm	< 20.0.0	20.0.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the openURLMiddleware function in the file packages/cli-server-api/src/openURLMiddleware.ts. The function receives a URL from a POST request and uses the open library to open it. The vulnerability lies in the fact that the open library can execute system commands, and the URL from the request is not sanitized before being passed to it. This allows an attacker to craft a malicious URL that can execute arbitrary commands on the host system. The patch mitigates this by adding strict URL validation, ensuring that only http and https protocols are allowed, thus preventing the execution of local files or commands.

Vulnerable functions

openURLMiddleware

packages/cli-server-api/src/openURLMiddleware.ts

The `openURLMiddleware` function is vulnerable to OS command injection. It takes a URL from the request body and uses it in the `open()` function call without proper validation. An attacker can provide a malicious URL to execute arbitrary commands on the server.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

9.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-11953: @react-native-community/cli has arbitrary OS command injection

CVE-2025-11953:

9.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2025-11953: @react-native-community/cli has arbitrary OS command injection

Technical Details

9.8

9.8

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI