CISA Flags Actively Exploited React Native CLI Vulnerability (CVE-2025-11953)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11953 to its Known Exploited Vulnerabilities (KEV) catalog on February 5, 2026, after confirming active exploitation of an OS command injection flaw in the React Native Community CLI. Federal agencies must patch the vulnerability by February 26, 2026, under Binding Operational Directive (BOD) 22-01.
The flaw affects Metro Development Servers, a core component of React Native, a widely used framework for cross-platform mobile apps deployed by enterprises like Meta and Shopify. Attackers can exploit the vulnerability by sending unauthenticated POST requests to a vulnerable endpoint, enabling remote code execution (RCE). On Windows systems, this escalates to full shell control, allowing threat actors to deploy ransomware, exfiltrate data, or establish persistent backdoors.
The open-source nature of the React Native Community CLI amplifies supply chain risks, as the flaw could propagate through third-party libraries and proprietary applications. While no ransomware group has claimed responsibility, such vulnerabilities are frequently leveraged in advanced persistent threat (APT) campaigns for initial access.
Organizations with CI/CD pipelines or development environments face heightened risk, particularly if Metro servers commonly exposed in local workflows are accessible. Weak network segmentation could enable lateral movement within compromised environments. Security teams are advised to monitor for anomalous POST requests to CLI endpoints (e.g., /cli/debugger) and indicators of compromise (IOCs), such as unexpected process spawns.
Mitigation measures include:
- Immediate patching via GitHub updates (verified with
npx @react-native-community/cli@latest doctor). - Firewalling Metro ports (default: 8081).
- Endpoint detection and response (EDR) for command-line monitoring.
- Discontinuing unpatched instances in production or development environments.
CISA has urged Federal Civilian Executive Branch (FCEB) agencies to prioritize remediation, emphasizing that development tools remain prime targets in the expanding 2026 attack surface.
Source: https://cybersecuritynews.com/react-native-command-injection-flaw/
Shopify cybersecurity rating report: https://www.rankiteo.com/company/shopify
"id": "SHO1770359735",
"linkid": "shopify",
"type": "Vulnerability",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology/Social Media',
'name': 'Meta',
'type': 'Enterprise'},
{'industry': 'E-commerce',
'name': 'Shopify',
'type': 'Enterprise'}],
'attack_vector': 'Unauthenticated POST requests to vulnerable CLI endpoint',
'data_breach': {'data_exfiltration': 'Possible'},
'date_detected': '2026-02-05',
'date_publicly_disclosed': '2026-02-05',
'description': 'The U.S. Cybersecurity and Infrastructure Security Agency '
'(CISA) added CVE-2025-11953 to its Known Exploited '
'Vulnerabilities (KEV) catalog after confirming active '
'exploitation of an OS command injection flaw in the React '
'Native Community CLI. The vulnerability affects Metro '
'Development Servers, enabling remote code execution (RCE) via '
'unauthenticated POST requests, with potential for full shell '
'control on Windows systems.',
'impact': {'operational_impact': 'Potential for ransomware deployment, data '
'exfiltration, or persistent backdoors',
'systems_affected': 'Metro Development Servers, React Native '
'applications'},
'initial_access_broker': {'backdoors_established': 'Possible persistent '
'backdoors',
'entry_point': 'Unauthenticated POST requests to '
'vulnerable CLI endpoint'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Patching, network '
'segmentation, enhanced '
'monitoring',
'root_causes': 'OS command injection flaw in React '
'Native Community CLI '
'(CVE-2025-11953)'},
'ransomware': {'data_encryption': 'Possible', 'data_exfiltration': 'Possible'},
'recommendations': ['Immediate patching via GitHub updates',
'Firewalling Metro ports (default: 8081)',
'Endpoint detection and response (EDR) for command-line '
'monitoring',
'Discontinuing unpatched instances in production or '
'development environments',
'Monitoring for anomalous POST requests to CLI endpoints '
'(e.g., `/cli/debugger`)',
'Network segmentation to prevent lateral movement'],
'references': [{'date_accessed': '2026-02-05',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'catalog'}],
'regulatory_compliance': {'regulatory_notifications': 'Binding Operational '
'Directive (BOD) 22-01 '
'for Federal Civilian '
'Executive Branch '
'(FCEB) agencies'},
'response': {'containment_measures': 'Immediate patching, firewalling Metro '
'ports (default: 8081), discontinuing '
'unpatched instances',
'enhanced_monitoring': 'Endpoint detection and response (EDR) '
'for command-line monitoring',
'network_segmentation': 'Recommended to prevent lateral movement',
'remediation_measures': 'Patching via GitHub updates (verified '
'with `npx '
'@react-native-community/cli@latest '
'doctor`)'},
'stakeholder_advisories': 'Federal Civilian Executive Branch (FCEB) agencies '
'must patch by February 26, 2026',
'title': 'CISA Flags Actively Exploited React Native CLI Vulnerability '
'(CVE-2025-11953)',
'type': 'OS Command Injection',
'vulnerability_exploited': 'CVE-2025-11953'}