支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: 761c733e2457f3df75cac8e09c81e27387db834e

来源
https://github.com/B1ack4sh/Blackash-CVE-2025-11953
关联漏洞
标题:React Native Community CLI 安全漏洞 (CVE-2025-11953)
描述:React Native Community CLI是React Native Community开源的一个命令行工具。 React Native Community CLI存在安全漏洞,该漏洞源于默认绑定外部接口且端点存在OS命令注入漏洞,可能导致未经验证的攻击者发送POST请求执行任意命令。
描述
CVE-2025-11953
介绍
# 🚨 **CVE-2025-11953: Critical RCE in React Native CLI** 🚨

![Linux Vulnerability (8) (1)](https://github.com/user-attachments/assets/a090dc8d-aa9e-48be-82b2-418f848efcaa)

**A severe vulnerability allowing unauthenticated remote code execution (RCE) on developer machines running React Native. Discovered by JFrog Security, this flaw carries a CVSS score of 9.8 and affects millions of developers worldwide.**

---

## 📊 **Key Facts at a Glance**

| **Aspect**              | **Details**                                                                 |
|-------------------------|-----------------------------------------------------------------------------|
| **🆔 CVE ID**           | CVE-2025-11953                                                             |
| **⚠️ Severity**         | **CRITICAL** (CVSS v3.1: **9.8**) – Network, Low Complexity, No Privileges Required |
| **🛡️ Affected Package** | `@react-native-community/cli-server-api` **v4.8.0 – v20.0.0-alpha.2**     |
| **📈 Weekly Downloads** | **Over 2 million** (NPM registry data)                                     |
| **🔓 Vulnerability Type**| OS Command Injection via Metro Dev Server `/open-url` endpoint             |
| **🩹 Fixed Version**     | **v20.0.0** (Released October 2025)                                        |
| **📅 Published**        | November 4, 2025 (NVD entry: November 5, 2025)                             |
| **🌐 Public Exposure**  | **Over 4,600 instances** detectable via public scans (ZoomEye)             |

---

## 🎯 **How the Attack Works**

![code](https://github.com/user-attachments/assets/b59689b2-4943-44d4-9f0c-086de7a17870)

1. **Metro Dev Server** (part of React Native CLI) listens on **0.0.0.0:8081** by default — binding to **all network interfaces**.
2. If the host is on a public or shared network (e.g., public Wi-Fi, misconfigured cloud VM), the server is **directly accessible from the internet**.
3. Attacker sends a **malicious POST request** to the `/open-url` endpoint.
4. The endpoint **fails to sanitize the `url` parameter**, allowing **OS command injection**.
5. Commands execute with the **privileges of the developer user** — full control over the machine.

### **Proof-of-Concept (PoC) Example**
```http
POST /open-url HTTP/1.1
Host: vulnerable-dev-machine:8081
Content-Type: application/json

{"url": "; calc.exe"}   // Windows
{"url": "; whoami"}     // Linux/macOS
```

**Result**: Arbitrary system commands run instantly. On Windows, Calculator launches; on Unix, user identity is returned — proof of full RCE.

---

## 🛡️ **Mitigation Steps (Act Now)**

### 1. **Update Immediately**
```bash
npm update @react-native-community/cli @react-native-community/cli-server-api
```
- Ensure version is **>= 20.0.0**
- Run `npm list @react-native-community/cli-server-api` to verify

### 2. **Bind to Localhost Only**
```bash
npx react-native start --host localhost
```
Prevents external access even if firewall is misconfigured.

### 3. **Firewall Rules**
- **Block inbound traffic** to port **8081** from external networks
- Allow only **127.0.0.1** or internal IPs

### 4. **Use VPN or Secure Networks**
Never run dev servers on public Wi-Fi or untrusted networks.

### 5. **Scan for Exposure**
Use internal network scanners to detect any `react-native start` instances bound to 0.0.0.0.

### 6. **Enable Automated Security**
- Turn on `npm audit` in CI/CD
- Use Dependabot or Snyk for dependency monitoring

---

## 🔥 **Why This Is a Big Deal**

- **Target-Rich Environment**: Developer laptops contain **source code, API keys, SSH credentials, and build tools**.
- **Supply Chain Trust**: Maintained by **Meta** — a package trusted by enterprises and indie devs alike.
- **Mass Exposure**: Over **4,600 publicly reachable instances** already identified in internet-wide scans.
- **Silent Risk**: Many devs leave Metro running during long build sessions — perfect for drive-by attacks.

---

## 📢 **Global Awareness (X/Twitter Buzz)**

- **JFrog Security** issued urgent advisory: *"Remote attackers can execute code on your machine via a single HTTP request."*
- **ZoomEye** reported **4,600+ live vulnerable servers** within 24 hours of disclosure.
- Alerts in **Japanese, Persian, Portuguese, and English** — indicating **worldwide scanning activity**.
- Security researchers warn: **"This is the new Log4Shell for mobile devs."**

---

## 🔒 **Final Recommendation**

> **Patch to v20.0.0 TODAY. Bind to localhost. Block port 8081 externally.**

This is **not a theoretical risk** — active exploitation is highly likely due to ease of attack and high value of compromised dev machines.

**Stay safe. Update now.** 🔐
文件快照

 [4.0K]  /data/pocs/761c733e2457f3df75cac8e09c81e27387db834e
└── [4.6K]  README.md

1 directory, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。