"The flaw, tracked as CVE-2025-11953, arises because the Metro development server started by the React Native Community command line tool exposes an endpoint vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run malicious executables. Similarly, on Windows machines, miscreants can abuse the security hole to execute arbitrary shell commands with fully controlled arguments."
""VulnCheck observed exploitation attempts as early as December, well before public discussion framed CVE-2025-11953 as anything more than a theoretical risk," VulnCheck CTO Jacob Baines told The Register. "This demonstrates how quickly attackers can act once scanning becomes viable, and why developer tooling - widespread, inconsistently monitored, and often not treated as production-grade - represents a particularly attractive early target.""
A critical OS command-injection vulnerability (CVE-2025-11953) in the Metro development server launched by the React Native Community CLI allows unauthenticated network attackers to run arbitrary code. The affected npm package has nearly 2.5 million weekly downloads, and the flaw permits POST requests to execute malicious executables on Linux and arbitrary shell commands on Windows. JFrog researchers discovered the bug and disclosed it after Meta issued a fix; the issue received a 9.8 CVSS rating. Proof-of-concept exploits appeared quickly on GitHub, and VulnCheck observed exploitation attempts as early as December, raising concerns about inadequate public attention.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]