vulnerability

Metro CLI server-api: CVE-2025-11953: Remote Code Execution via /open-url Endpoint (Metro4Shell)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
7	(AV:N/AC:L/Au:N/C:P/I:P/A:P)	Mar 11, 2025	Mar 31, 2026	Mar 31, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:P)

Published

Mar 11, 2025

Added

Mar 31, 2026

Modified

Mar 31, 2026

Description

The @react-native-community/cli-server-api package, used by Metro and React Native, contains a remote code execution (RCE) vulnerability affecting Windows environments. A malicious actor with network access to the Metro server can send a specially crafted POST request to the '/open-url' endpoint.

Due to insufficient validation of the 'url' parameter before it is passed to a shell execution command, an unauthenticated attacker can execute arbitrary commands with the privileges of the user running the Metro server.

Solution

node-metro-cli-server-api-rce-cve-2025-11953

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today