GHSA-399j-vxmf-hjvr

Source

https://github.com/advisories/GHSA-399j-vxmf-hjvr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-399j-vxmf-hjvr/GHSA-399j-vxmf-hjvr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-399j-vxmf-hjvr

Aliases

CVE-2025-11953

Published

2025-11-03T18:31:52Z

Modified

2026-02-05T21:49:39.769167Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

@react-native-community/cli has arbitrary OS command injection

Details

The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Database specific

{
    "nvd_published_at": "2025-11-03T17:15:32Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed_at": "2025-11-06T17:28:29Z",
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

Affected packages

npm

@react-native-community/cli

Package

Name: @react-native-community/cli; View open source insights on deps.dev
Purl: pkg:npm/%40react-native-community/cli

Affected ranges

Type: SEMVER
Events: Introduced

20.0.0-alpha.0

Fixed

20.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-399j-vxmf-hjvr/GHSA-399j-vxmf-hjvr.json"

@react-native-community/cli

Package

Name: @react-native-community/cli; View open source insights on deps.dev
Purl: pkg:npm/%40react-native-community/cli

Affected ranges

Type: SEMVER
Events: Introduced

19.0.0-alpha.0

Fixed

19.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-399j-vxmf-hjvr/GHSA-399j-vxmf-hjvr.json"

@react-native-community/cli

Package

Name: @react-native-community/cli; View open source insights on deps.dev
Purl: pkg:npm/%40react-native-community/cli

Affected ranges

Type: SEMVER
Events: Introduced

18.0.0

Fixed

18.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-399j-vxmf-hjvr/GHSA-399j-vxmf-hjvr.json"

@react-native-community/cli-server-api

Package

Name: @react-native-community/cli-server-api; View open source insights on deps.dev
Purl: pkg:npm/%40react-native-community/cli-server-api

Affected ranges

Type: SEMVER
Events: Introduced

20.0.0-alpha.0

Fixed

20.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-399j-vxmf-hjvr/GHSA-399j-vxmf-hjvr.json"

@react-native-community/cli-server-api

Package

Name: @react-native-community/cli-server-api; View open source insights on deps.dev
Purl: pkg:npm/%40react-native-community/cli-server-api

Affected ranges

Type: SEMVER
Events: Introduced

19.0.0-alpha.0

Fixed

19.1.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-399j-vxmf-hjvr/GHSA-399j-vxmf-hjvr.json"

@react-native-community/cli-server-api

Package

Name: @react-native-community/cli-server-api; View open source insights on deps.dev
Purl: pkg:npm/%40react-native-community/cli-server-api

Affected ranges

Type: SEMVER
Events: Introduced

18.0.0

Fixed

18.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-399j-vxmf-hjvr/GHSA-399j-vxmf-hjvr.json"