## https://sploitus.com/exploit?id=CEC1FC3C-9774-5BA9-99C2-BFF8659DD320
# CVE-2025-11953 - React Native CLI RCE Research Environment




## ๐ Overview
CVE-2025-11953 is a critical Remote Code Execution (RCE) vulnerability in the React Native CLI's Metro development server discovered by JFrog Security. This research environment provides the actual vulnerable implementation for defensive security research, detection development, and mitigation testing.
**CVSS Score:** 9.8 (CRITICAL)
**Affected Versions:** @react-native-community/cli-server-api v4.8.0 โ v20.0.0-alpha.2
**Fixed Version:** v20.0.0+ (Released October 2025)
**Vulnerability Type:** OS Command Injection via `/open-url` endpoint
**Weekly Downloads:** Over 2 million (pre-disclosure)
## ๐ Quick Start
### Prerequisites
- Windows 10/11 VM (recommended for realistic testing)
- Node.js 14.0 or higher
- **ISOLATED Virtual Machine** (mandatory - no bridged networking)
- Disabled Windows Defender/antivirus for testing
- No connection to production networks
### Installation
```bash
# Clone the repository
git clone
cd
# Install dependencies
npm install
# Start the app
npm start
# Localhost only
npm run start-local
```
### DEMO Screenshots