CVE-2025-11953: React Native CLI dev-server command injection
CVE-2025-11953 (React Native CLI dev-server command injection) is a os command injection (remote code execution) vulnerability in @react-native-community/cli-server-api (npm). As of 2026-06-18 it carries a very high 61.9% probability of exploitation in the next 30 days (EPSS). It is fixed in 20.0.0 — if you depend on an earlier version, upgrade.
| Severity | Critical |
|---|---|
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| EPSS (exploit probability, 30d) | 61.9% · 99th percentile |
| Vulnerability type | OS Command Injection (Remote Code Execution) |
| Affected package | @react-native-community/cli-server-api (npm) |
| Fixed in | 20.0.0 |
What is CVE-2025-11953?
The Metro development server bundled with React Native's community CLI (millions of weekly downloads) exposed an /open-url endpoint that passed unsanitized input to the open() function. A remote attacker able to reach the dev server could achieve arbitrary OS command execution — full RCE on Windows, more constrained on macOS/Linux — and the server bound beyond localhost by default, widening exposure.
Is CVE-2025-11953 exploitable?
CVE-2025-11953 has an EPSS score of 61.9% (99th percentile), meaning a very high 61.9% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which scores as Critical severity. It is a os command injection (remote code execution) issue.
What is the EPSS score for CVE-2025-11953?
As of 2026-06-18, the EPSS exploit-prediction score for CVE-2025-11953 is 61.9% (99th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.
How do I fix CVE-2025-11953?
Upgrade @react-native-community/cli-server-api to 20.0.0 or later. The Metro development server bundled with React Native's community CLI (millions of weekly downloads) exposed an /open-url endpoint that passed unsanitized input to the open() function. A remote attacker able to reach the dev server could achieve arbitrary OS command execution — full RCE on Windows, more constrained on macOS/Linux — and the server bound beyond localhost by default, widening exposure.
Am I affected by CVE-2025-11953?
You are affected if your project (directly or transitively) depends on a vulnerable version of @react-native-community/cli-server-api in the npm ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.
Check your own project automatically
Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):
curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
-H 'content-type: application/json' \
-d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'
Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."
Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.