CISA Warns of Actively Exploited React Native CLI Vulnerability (CVE-2025-11953)
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-11953, a critical OS command injection vulnerability in the React Native Community Command-Line Interface (CLI), to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation in the wild.
The flaw affects the Metro Development Server, a core component of the React Native CLI used for bundling JavaScript during app development. Attackers can exploit the vulnerability by sending crafted POST requests to exposed Metro Server endpoints, enabling arbitrary command execution particularly severe on Windows systems, where it allows full control over development machines or build servers.
Due to relaxed security controls in development environments, exposed Metro Servers (e.g., on public Wi-Fi or insecure networks) are prime targets for remote code execution (RCE), making this an attractive entry point for threat actors, including initial access brokers and data exfiltration campaigns.
CISA has set a remediation deadline of February 26, 2026, for Federal Civilian Executive Branch (FCEB) agencies, mandating patches or discontinuation of vulnerable versions. The agency advises all organizations to:
- Upgrade to the latest patched version of
@react-native-community/cli. - Restrict access to Metro Servers, avoiding exposure to untrusted networks.
- Monitor network logs for suspicious activity on the default Metro port (8081).
Exploitation requires no authentication, and successful attacks could lead to privilege escalation or lateral movement within compromised environments. While the vulnerability primarily impacts development systems, its potential for full host compromise underscores the urgency of mitigation.
Source: https://cyberpress.org/react-native-community-command-injection-vulnerability/
React Native Community TPRM report: https://www.rankiteo.com/company/reactofficial
Federal Civilian Executive Branch TPRM report: https://www.rankiteo.com/company/federal-engineering-inc
"id": "reafed1770374316",
"linkid": "reactofficial, federal-engineering-inc",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'Organizations using React Native CLI'}],
'attack_vector': 'Crafted POST requests to exposed Metro Server endpoints',
'data_breach': {'data_exfiltration': 'Potential data exfiltration'},
'description': 'The Cybersecurity and Infrastructure Security Agency (CISA) '
'has added CVE-2025-11953, a critical OS command injection '
'vulnerability in the React Native Community Command-Line '
'Interface (CLI), to its Known Exploited Vulnerabilities (KEV) '
'catalog after confirming active exploitation in the wild. The '
'flaw affects the Metro Development Server, a core component '
'of the React Native CLI used for bundling JavaScript during '
'app development. Attackers can exploit the vulnerability by '
'sending crafted POST requests to exposed Metro Server '
'endpoints, enabling arbitrary command execution, particularly '
'severe on Windows systems, where it allows full control over '
'development machines or build servers.',
'impact': {'operational_impact': 'Full host compromise, privilege escalation, '
'lateral movement',
'systems_affected': 'Development machines, build servers'},
'initial_access_broker': {'entry_point': 'Exposed Metro Servers (e.g., on '
'public Wi-Fi or insecure networks)'},
'post_incident_analysis': {'root_causes': 'Relaxed security controls in '
'development environments, exposed '
'Metro Servers'},
'recommendations': ['Upgrade to the latest patched version of '
'@react-native-community/cli',
'Restrict access to Metro Servers, avoiding exposure to '
'untrusted networks',
'Monitor network logs for suspicious activity on the '
'default Metro port (8081)'],
'references': [{'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'catalog'}],
'regulatory_compliance': {'regulatory_notifications': 'CISA mandates '
'remediation for '
'Federal Civilian '
'Executive Branch '
'(FCEB) agencies by '
'February 26, 2026'},
'response': {'containment_measures': ['Upgrade to the latest patched version '
'of @react-native-community/cli',
'Restrict access to Metro Servers'],
'enhanced_monitoring': 'Monitor network logs for suspicious '
'activity on the default Metro port '
'(8081)',
'remediation_measures': ['Monitor network logs for suspicious '
'activity on the default Metro port '
'(8081)']},
'threat_actor': ['Initial access brokers', 'Data exfiltration campaigns'],
'title': 'CISA Warns of Actively Exploited React Native CLI Vulnerability '
'(CVE-2025-11953)',
'type': 'OS Command Injection',
'vulnerability_exploited': 'CVE-2025-11953'}