Detections
Analytics
React Native Community CLI Server API Node.js Package 4.8.0 < 20.0.0 Remote Code Execution (CVE-2025-11953)
critical Nessus Plugin ID 298225
Synopsis
The React Native Community CLI Server API Node.js Package installed on the remote host is affected by a remote code execution vulnerability.Description
The version of the React Native Community CLI Server API Node.js Package installed on the remote host is 4.8.0 prior to 20.0.0. It is, therefore, affected by a remote code execution vulnerability:- The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments. (CVE-2025-11953)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to React Native Community CLI Server API Node.js Package version 20.0.0 or later.See Also
Plugin Details
Severity: Critical
ID: 298225
File Name: react_native_community_cli_server_api_nodejs_package_20_0_0.nasl
Version: 1.1
Type: local
Agent: windows, macosx, unix
Family: Misc.
Published: 2/6/2026
Updated: 2/6/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 9.0
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2025-11953
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Information
CPE: cpe:/a:nodejs:node.js
Required KB Items: Host/nodejs/modules/enumerated
Patch Publication Date: 11/3/2025
Vulnerability Publication Date: 11/3/2025
Reference Information
CVE: CVE-2025-11953