CVE-2025-11953 Elastic Security · Elastic

Detect React Native Community CLI OS Command Injection (CVE-2025-11953) in Elastic Security

Detects exploitation of CVE-2025-11953, an OS command injection vulnerability (CWE-78) in the React Native Community CLI. An attacker who can influence arguments or configuration consumed by the React Native CLI can inject arbitrary OS commands that execute with the privileges of the developer or CI/CD process invoking the CLI. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Execution Persistence Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.name, user.name with maxspan=2m
  [process where process.name : ("node", "node.exe") and
   (process.command_line : ("*react-native*", "*@react-native-community*", "*rn-cli*") or
    process.parent.command_line : ("*react-native*", "*@react-native-community*"))]
  [process where process.name : ("sh", "bash", "zsh", "dash", "cmd.exe", "powershell.exe", "pwsh.exe") and
   process.command_line : ("*curl *", "*wget *", "*nc *", "*ncat *", "*/dev/tcp*", "*bash -i*", "*sh -c*", "*powershell*", "*Invoke-Expression*")]
high severity medium confidence

EQL sequence query correlating a React Native CLI node process with a subsequent shell or download utility invocation within a two-minute window on the same host and user, indicative of command injection exploitation.

Data Sources

Elastic Endpoint SecurityAuditdSysmon

Required Tables

logs-endpoint.events.process*logs-system.syslog*

False Positives & Tuning

  • Automated mobile development environments where shell scripts are legitimately chained after react-native CLI commands.
  • Build servers running react-native bundler with post-build shell hooks.
  • Developer-triggered npm scripts that spawn sub-shells after CLI invocation.
  • Legitimate usage of react-native run-android or run-ios with custom shell environment setup.

Other platforms for CVE-2025-11953

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Command Injection via React Native CLI project name argument

    Expected signal: Process create event showing node spawning sh or bash with a command line containing the injected semicolon-delimited id command; file creation event for /tmp/cve_2025_11953_poc.txt.

  2. Test 2Reverse shell injection via React Native CLI on Linux

    Expected signal: Process create events for node → sh → id; file write to /tmp/rn_inject_test.txt containing the output of id.

  3. Test 3Remote payload download via injected curl in React Native CLI build context

    Expected signal: Process create event for node spawning sh, which spawns curl with an external URL argument; network connection event for curl to destination host.

  4. Test 4Windows PowerShell injection via React Native CLI on Windows

    Expected signal: Sysmon Event ID 1 showing node.exe spawning cmd.exe which spawns powershell.exe; file creation event in %TEMP% for rn_inject_test.txt.

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-11953 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0008Lateral Movement

Related Techniques

T1059Command and Scripting InterpreterT1190Exploit Public-Facing ApplicationT1203Exploitation for Client Execution

Same Tactic: Execution

Popular Detections