React Native Community CLI Server API Node.js Package 4.8.0 < 20.0.0 Remote Code Execution (CVE-2025-11953)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(298225);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/27");

  script_cve_id("CVE-2025-11953");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2026/02/26");

  script_name(english:"React Native Community CLI Server API Node.js Package 4.8.0 < 20.0.0 Remote Code Execution (CVE-2025-11953)");

  script_set_attribute(attribute:"synopsis", value:
"The React Native Community CLI Server API Node.js Package installed on the remote host is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of the React Native Community CLI Server API Node.js Package installed on the remote host is 4.8.0 prior
to 20.0.0. It is, therefore, affected by a remote code execution vulnerability:

  - The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by
    default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated
    network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can
    also execute arbitrary shell commands with fully controlled arguments. (CVE-2025-11953)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2dfb0e10");
  script_set_attribute(attribute:"solution", value:
"Upgrade to React Native Community CLI Server API Node.js Package version 20.0.0 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-11953");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/11/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/11/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/02/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"asset_categories", value:"component");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:nodejs:node.js");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("nodejs_modules_win_installed.nbin", "nodejs_modules_linux_installed.nbin", "nodejs_modules_mac_installed.nbin");
  script_require_keys("Host/nodejs/modules/enumerated");

  exit(0);
}

include('vcf_extras_nodejs.inc');

get_kb_item_or_exit('Host/nodejs/modules/enumerated');

var app = '@react-native-community/cli-server-api';
var app_info = vcf_extras::nodejs_modules::get_app_info(app:app);

if (empty_or_null(app_info))
  audit(AUDIT_NOT_INST, app);

var constraints = [
  {'min_version':'4.8.0', 'fixed_version':'20.0.0'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);