Metro4Shell: OS Command Injection in React Native Community CLI Metro Development Server

Repository is a small “PoC CVE collection” with 3 CVE folders referenced, but only CVE-2025-11953 contains actual exploit code in the provided archive (Python + Bash). The other two CVEs (CVE-2025-59287 WSUS deserialization RCE and CVE-2025-8941 Linux-PAM pam_namespace privesc) are documentation-only here (READMEs describe additional scripts like wsus-exploit.py/pam-exploit.c, but those files are not present in the provided file list). CVE-2025-11953 exploit purpose/structure: - Target: React Native Community CLI Metro development server exposing an `open-url` HTTP endpoint. - Primitive: unauthenticated network OS command injection by POSTing JSON to `/open-url` with a crafted `url` value. - Files: - `CVE-2025-11953/exploit-basic.sh`: minimal PoC that checks reachability (GET /) then POSTs to `$TARGET/open-url` with `{"url":"$COMMAND"}`; treats HTTP 200/204 as success. - `CVE-2025-11953/exploit-advanced.py`: a more featureful exploitation tool using `requests.Session()`. - `test_connectivity()` performs GET to base target URL. - `execute_command()` posts to `{target}/open-url` and supports OS selection; Windows wraps commands with `cmd /c`. - `upload_file()` reads a local file, base64-encodes it, and writes it to an arbitrary remote path via an inlined PowerShell `WriteAllBytes` command (Windows-only). - `get_reverse_shell()` sends an inlined PowerShell reverse shell that connects back to attacker-supplied `--lhost` and `--lport` (default 4444). Output is effectively blind (no command output parsing), consistent with the README warning. Notable fingerprintable network targets/endpoints: - HTTP endpoint `/open-url` on the Metro server (commonly port 8081) is the key exploit surface. - Reverse shell callback is to attacker-controlled TCP `lhost:lport` (default port 4444). Overall, this repo is primarily an operational RCE PoC/tooling for CVE-2025-11953, packaged alongside documentation for two additional CVEs that are not actually implemented in the provided code snapshot.

Repository is a small proof-of-concept for CVE-2025-11953 affecting the React Native/Metro development server exposure of an open-url endpoint (openURLMiddleware from @react-native-community/cli-server-api). The core idea is that the dev server may bind to external interfaces and exposes /open-url, which is described as vulnerable to OS command injection, allowing unauthenticated remote attackers to execute arbitrary executables; on Windows it can execute shell commands with controlled arguments. Structure/purpose by file: - README.md: Describes the vulnerability and impact (unauthenticated network OS command injection via Metro dev server /open-url). - vuln_server.js: Minimal reproduction server using Node http + connect, mounting openURLMiddleware at path '/open-url' and listening on port 8081. - poc.py: Python requests client that POSTs JSON {"url": "https://google.com"} to http://localhost:8081/open-url to demonstrate opening a browser. - windows_PoC.py: Similar Python client but uses {"url": "calc.exe"} to demonstrate launching an executable on Windows. - package.json / metro.config.js / index.js: Project scaffolding and dependencies to run the reproduction environment; index.js is a dummy entry. Exploit capabilities: remote, unauthenticated HTTP POST to a known endpoint (/open-url) with attacker-controlled JSON parameter 'url' that is processed by the vulnerable middleware, potentially resulting in command execution / arbitrary program launch on the host running the dev server. No advanced payload staging, persistence, or post-exploitation is included; it is a basic PoC demonstrating the vulnerable behavior.

This repository is a research environment for CVE-2025-11953, a critical RCE vulnerability in the React Native CLI's Metro development server. It contains a fully functional, intentionally vulnerable server (VulnerableMetroServer.js) that exposes several HTTP endpoints, most notably /open-url, which is vulnerable to OS command injection via unsanitized user input. The /inject-test and /execute endpoints also allow command injection and direct command execution, respectively. The test-exploit.js script automates exploitation of these endpoints with various payloads, demonstrating the vulnerability's impact. The server logs all activity to metro_server.log. The repository is structured for security research and detection development, not for production use. The exploit is network-based, targeting the HTTP API of the Metro server, and allows arbitrary command execution on Windows (and other platforms) with the privileges of the Node.js process.

This repository is a PoC collection for several recent critical CVEs, with a focus here on CVE-2025-11953 (React Native Community CLI Metro Development Server RCE). The exploit targets the '/open-url' HTTP endpoint exposed by the Metro server, which is vulnerable to OS command injection due to unsanitized input passed to the Node.js 'open' package. The repository includes both a simple Bash PoC (exploit-basic.sh) and a full-featured Python exploitation framework (exploit-advanced.py). The Python tool supports single command execution, interactive mode, reverse shell deployment (PowerShell for Windows), and file upload (Windows). The exploit is operational and can be used against Windows, Linux, and MacOS targets, provided the vulnerable Metro server is accessible over the network. The main attack vector is unauthenticated network access to the Metro server's '/open-url' endpoint (typically on port 8081). The repository is well-documented, with detailed usage instructions, mitigation advice, and detection guidance. No hardcoded IPs or domains are present; the exploit is designed to be used against user-specified targets.

This repository is a comprehensive educational demonstration of CVE-2025-11953, a critical unauthenticated command injection vulnerability in the React Native CLI's Metro server (specifically in @react-native-community/cli-server-api <= 12.3.6). The vulnerability allows remote attackers to execute arbitrary OS commands by sending crafted POST requests to the /open-url endpoint, which is exposed by default and binds to all interfaces unless configured otherwise. The repository contains: - Multiple exploit scripts (Bash and PowerShell) that automate exploitation of the vulnerability, demonstrating RCE on both Windows and Unix-like systems. - A realistic vulnerable server implementation in Node.js (realistic-vulnerable-server.js) that mimics the actual vulnerable behavior, including endpoints for health checks and listing files created by attacks. - Setup scripts and configuration files to launch both vulnerable and secure environments for testing. - Example payloads that create files, gather system and network information, perform command chaining, and even add new users on Windows. The main attack vector is network-based, targeting the /open-url HTTP endpoint. The exploit scripts are operational and provide real RCE, not just detection. The repository is well-structured for educational and research purposes, with clear separation between exploit code, vulnerable server setup, and documentation. No fake or destructive payloads are present; all actions are for demonstration and proof-of-concept. Mitigation advice is included throughout the code and documentation, recommending upgrades to patched versions, restricting server binding to localhost, and implementing input validation.