Introduction
Remote attackers can execute arbitrary code on developer machines running the React Native Metro Development Server simply by sending a crafted network request. This risk is not limited to theoretical scenarios: any developer running Metro with default settings on a shared or untrusted network is exposed to immediate compromise. The vulnerability, tracked as CVE-2025-11953, affects the React Native Community CLI, a tool used by thousands of mobile developers worldwide to build and debug React Native applications.
React Native is an open source framework maintained by Meta (formerly Facebook) and a large community. The React Native Community CLI is the standard command line interface for initializing, running, and debugging React Native projects. Metro, the JavaScript bundler and development server at the heart of this toolchain, is responsible for serving application code to emulators and devices during development. Its widespread use in mobile app development means that vulnerabilities in Metro can have broad impact across the ecosystem.
Technical Information
CVE-2025-11953 is an OS command injection vulnerability (CWE-78) in the Metro Development Server, which is started by the React Native Community CLI. By default, Metro binds to all network interfaces, exposing its HTTP endpoints to the local network. The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.
The vulnerability arises because the server does not properly sanitize the lineNumber (and potentially file) parameter before constructing a command line for the configured editor. On Windows, the server uses Node.js's child_process.spawn to invoke the editor, passing the file and line number as arguments. However, if the lineNumber parameter contains shell metacharacters, these are interpreted by cmd.exe, allowing arbitrary command execution. For example, a request with:
{ "file": "C:\\Windows\\system.ini", "lineNumber": "123\" && calc" }
would cause the server to execute both the intended editor command and the Windows calculator. The vulnerability is less severe on Unix-like systems, as arguments are passed directly to the editor binary rather than through a shell, but exploitation may still be possible depending on editor behavior.
The root cause is a combination of insufficient input validation and insecure command construction, compounded by the server's default network exposure. Attackers do not need authentication and can exploit the issue remotely if they can reach the Metro server port (default 8081).
Affected Systems and Versions
- Affected product: React Native Community CLI (specifically the Metro Development Server component)
- Vulnerable versions: All versions prior to the commit 15089907d1f1301b22c72d7f68846a2ef20df547
- Default configuration is vulnerable: Metro binds to all interfaces unless explicitly configured otherwise
- All platforms are affected, but exploitation is most severe on Windows
Vendor Security History
The React Native ecosystem has faced similar command injection issues in related developer tools. For example, recent vulnerabilities in mcp-remote (CVE-2025-6514) and adb-mcp demonstrate a recurring pattern of command injection risks in Node.js-based developer tooling. The React Native Community CLI maintainers have historically responded quickly to reported vulnerabilities, but this incident highlights the need for more rigorous input validation and secure-by-default configurations in developer environments.
