The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-11953 to its Known Exploited Vulnerabilities (KEV) catalog, flagging an OS command injection flaw in the React Native Community CLI as actively exploited in the wild.
Added on February 5, 2026, with a federal patching deadline of February 26, 2026, the vulnerability poses severe risks to developers running exposed Metro Development Servers.
React Native, a popular framework for cross-platform mobile apps used by enterprises like Meta and Shopify, relies on the Community CLI for project management and Metro bundler for fast bundling.
Attackers can exploit a vulnerable endpoint by sending unauthenticated POST requests and executing arbitrary executables remotely. On Windows, this escalates to full control of the shell with attacker-specified arguments, enabling ransomware deployment, data exfiltration, or persistent backdoors.
This open-source flaw could ripple through third-party libraries and proprietary apps, amplifying supply chain risks. No ransomware attribution yet, but threat actors favor such dev-tool vulns for initial access in APT campaigns.
Enterprises with CI/CD pipelines or dev environments face elevated threats. Exposed Metro servers—common in local dev workflows—allow lateral movement if chained with weak network segmentation. SOC teams should hunt for anomalous POSTs to CLI endpoints (e.g., /cli/debugger) and IOCs like unexpected process spawns.
- Immediate Patch: Update CLI via GitHub fixes; verify with
npx @react-native-community/cli@latest doctor. - Follow BOD 22-01: Harden cloud services (AWS, Azure) with least-privilege access.
- Defenses: Firewall Metro ports (8081 default); use EDR for command-line monitoring; discontinue unpatched use.
- Hunt Queries: Sigma rules for
cmd.exe /cwith CLI args or Metro traffic spikes.
CISA urges FCEB agencies to act swiftly. Developers: Never expose dev servers publicly. This serves as a reminder: dev tools are prime targets in the expansion of 2026’s attack surface.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
