BLUF

A critical OS command injection vulnerability (CVSS 9.8) in the @react-native-community/cli NPM package allows unauthenticated remote attackers to execute arbitrary commands on a developer's machine. The flaw stems from the Metro Development Server binding to all network interfaces (0.0.0.0) by default while exposing an unsanitized /open-url endpoint.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by CVE-2025-11953 exploitation or suspected abuse:

• Low-end total cost: $500,000 – $750,000
  (Rapid patching, no chaining, limited exposure)

• Typical expected range: $1M – $1.8M

• Upper-bound realistic scenarios: $2.5M – $3.5M
  (Chained exploitation into CI/CD systems, credential compromise, regulatory or customer-driven assurance reviews, prolonged forensic investigation)

Key cost driver:

This vulnerability is dangerous not because it causes immediate outages, but because it quietly undermines trust in developer and build environments. Costs are driven less by downtime and more by the need for assurance, validation, and governance response once administrative boundaries, code integrity, and signing trust are in doubt.

Potential Affected Sectors

·         Software Development

·         Information Technology

·         Mobile App Development

·         Any enterprise employing React Native developers or using CI/CD build agents.

Potential Affected Countries

·         Global (package has ~2 million weekly downloads).

Date of First Reported Activity

·         November 3, 2025

Date of Last Reported Activity Update

·         December 22, 2025

CVE-2025-11953

CVSS 3.1

·         (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID

There is no plugin for CVE-2025-11953  at this time

Is this on the KEV list

·         No

Patching/Mitigation Data:

Patch Release Date

·         November 3, 2025

Mitigation:

Workaround

·         Manually bind the Metro server to localhost (127.0.0.1)

·         Use firewalls to block external access to port 8081

React Native CLI Fix Commit.

APT Groups

·         No APT groups have been associated with this CVE at this time

Criminal Organization Names

No crime organizations have been associated with this CVE at this time

IOCs

·         Unexpected POST requests to /open-url, /open-stack-frame, /symbolicate, or /debugger-ui on port 8081 from non-local IPs.

·         Presence of calc.exe or unauthorized cmd.exe child processes spawned from the Node.js/Metro server process.

Tools Used

·         Malicious crafted POST requests; open (NPM package)

TTPs

·         T1190 Exploit Public-Facing Application (Metro server exposed on 0.0.0.0).

·         T1059.003 Command and Scripting Interpreter: Windows Shell (Command injection via open() function).

·         T1203 Exploitation for Client Execution (Targeting developer workstations).

Malware Names

TBD (The vulnerability is a delivery mechanism for any payload, such as reverse shells or info-stealers).

Suggested rules / potential hunts

As a reminder these are indicator rules / hunts they are likely to be noisy

Suggested Suricata Rules

alert http $EXTERNAL_NET any -> $HOME_NET 8081 (msg:"Possible CVE-2025-11953 Command Injection Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/open-url"; http_uri; pcre:"/url=.*(&|;|\|)/i"; sid:1000001; rev:1;)

Potential SentinelOne Rules

Monitor node.exe or node processes spawning cmd.exe, powershell.exe, or sh when the parent process command line includes metro or react-native.

Potential Splunk Hunts

index=network sourcetype=http_proxy uri="*/open-url" method="POST" | stats count by src_ip, dest_ip

index=endpoint sourcetype=ProcessRollup parent_process_name="node.exe" (process_name="cmd.exe" OR process_name="powershell.exe") process="*&*" OR process="*;*"

Delivery Method

·         Network-based POST request targeting the exposed Metro development server port (default 8081).

Email Samples

·         This is not applicable.

References

JFrog

hxxps://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/

NVD

hxxps://nvd.nist.gov/vuln/detail/CVE-2025-11953

ZeroPath

hxxps://zeropath.com/blog/cve-2025-11953-react-native-metro-cli-os-command-injection

Wiz IO

hxxps://www.wiz.io/vulnerability-database/cve/cve-2025-11953

Developers CloudFlare

hxxps://developers.cloudflare.com/changelog/2025-11-05-emergency-waf-release/