The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw affecting the React Native Community CLI to its Known Exploited Vulnerabilities (KEV) catalog.
Identified as CVE-2025-11953, this vulnerability is an Operating System (OS) command injection flaw that poses severe risks to development environments, particularly those running on Windows infrastructures.
The addition to the KEV catalog confirms that threat actors are actively leveraging this flaw in the wild, necessitating immediate action from organizations and developers using this popular mobile development toolset.
Technical Analysis of CVE-2025-11953
The vulnerability resides within the React Native Community Command Line Interface (CLI), a foundational tool used to initialize and manage React Native projects.
The specific flaw allows for OS command injection, a technique where an attacker executes arbitrary operating system commands on the server that is running an application.
According to the advisory, the vulnerability is triggered through the Metro Development Server.
This server is typically used during the development phase to bundle JavaScript code. The flaw allows unauthenticated network attackers to send specially crafted POST requests to vulnerable endpoints exposed by the Metro server.
Successful exploitation results in the execution of arbitrary executables. The risk is significantly elevated for Windows users.
On Windows systems, the vulnerability allows attackers to execute arbitrary shell commands with fully controlled arguments.
This means an attacker could potentially take complete control over a developer’s machine or a build server if the Metro server is exposed to a network.
This vulnerability is particularly dangerous because development servers are often configured with lower security restrictions than production environments to facilitate debugging and rapid iteration.
If a developer runs the Metro server on a network that is accessible to untrusted parties such as a public Wi-Fi network or an improperly secured corporate subnet attackers can exploit this flaw without needing any credentials.
While it is currently unknown if this vulnerability is being used specifically in ransomware campaigns, the ability to achieve Remote Code Execution (RCE) makes it a prime candidate for initial access brokers and data theft operations.
In response to active exploitation, CISA has set a strict deadline for Federal Civilian Executive Branch (FCEB) agencies to remediate this vulnerability.
Agencies are required to apply vendor mitigations or discontinue the use of the product by February 26, 2026.
Recommended Actions:
- Update Immediately: Developers should update their
@react-native-community/clipackages to the latest patched versions immediately. - Isolate Development Servers: Ensure that Metro Development Servers are not exposed to public networks or untrusted interfaces.
- Monitor Logs: Security teams should monitor for suspicious POST requests targeting development ports (commonly port 8081).
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google