Native CLI — CVE-2025-11953

The Metro development server from @react-native-community/cli has a critical vulnerability where its /open-url endpoint accepts JSON POST requests and passes the url field unsanitized to the open() function, enabling command execution on certain platforms.

Vulnerability Details

Affected Versions: @react-native-community/cli 4.8.0 through 20.0.0-alpha.2

Fixed in: Version 20.0.0 and later

The vulnerability exists in openURLMiddleware.ts where user-supplied URL input flows directly to the open() npm package without validation. This package spawns platform-specific OS processes, creating different exploitation vectors depending on the operating system.

Platform-Specific Impact

Windows: Most severe. The open() function executes cmd /c start "" /b <url>, which interprets the payload as a command. This essentially allows arbitrary command execution through shell interpretation.

Linux: Lower risk. Uses xdg-open <url> which treats the argument as a file path or URI without shell processing. Exploitation requires leveraging vulnerable desktop handlers or local executable files.

macOS: Uses the open <url> command. Risk profile similar to Linux, dependent on available URI handlers.

Detection and Mitigation

Check for the vulnerable package:

N/ABASH

npm list @react-native-community/cli-server-api

Remediation options include:

Upgrading to version 20.0.0 or later
Binding the Metro server to localhost only with --host 127.0.0.1
Implementing strict input validation and sanitization on the URL parameter

The patch implements proper security controls to prevent the command injection attack vector.

██╗ ██████╗ ███████╗██╗███████╗███╗ ██╗██████╗ ██║██╔═══██╗██╔════╝██║██╔════╝████╗ ██║██╔══██╗ ██║██║ ██║█████╗ ██║█████╗ ██╔██╗ ██║██║ ██║ ██║██║ ██║██╔══╝ ██║██╔══╝ ██║╚██╗██║██║ ██║ ██║╚██████╔╝██║ ██║███████╗██║ ╚████║██████╔╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═══╝╚═════╝