virus logo Web Application Security

090502453 - React.Native.CLI.Metro.Development.Server.Command.Injection

description-logoDescription

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

affected-products-logoAffected Products

All

Impact logoImpact

System Compromise: Remote attackers can gain control of vulnerable systems.

recomended-action-logoRecommended Actions

Apply the most recent upgrade or patch from the vendor.

Version Updates

Date Version Status Detail
2025-12-04 0.00415
New
ID 1090502453
Created Dec 02, 2025
Updated Dec 02, 2025
CVE ID
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon
Default Action pass
Active
Affected OS All
Affected App Other
Engine Version 5.0.0 or later