AIKIDO-2025-10854
@react-native-community/cli is vulnerable to Command Injection
98
Critical Risk
This Affects:
@react-native-community/cliTL;DR
Affected versions of the React Native Community CLI expose a Metro development server that binds to external interfaces and provides an endpoint vulnerable to OS command injection, allowing unauthenticated remote attackers to issue crafted POST requests that execute arbitrary executables. On Windows, attackers can further run arbitrary shell commands with fully controlled arguments.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@react-native-community/cli is vulnerable to Command Injection in versions 0.0.1 - 17.0.0, 18.0.0 - 18.0.0 and 19.0.0 - 19.1.1.
How to fix this
Upgrade the @react-native-community/cli and @react-native-community/cli-server-api library to the patch version.
Links
Other
jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerabilityx.com/SzymonRybczak/status/1986199665000566848x.com/thymikee/status/1986770875954475375cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953vulncheck.com/blog/metro4shell_eitw
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant