cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon react-native-community

fix: RCE vulnerability from CVE-2025-11953

Open thymikee opened this issue 1 month ago • 2 comments

Summary

Continuation of the fix that landed in https://github.com/react-native-community/cli/commit/15089907d1f1301b22c72d7f68846a2ef20df547, that prevents RCE using a spoofed URL with | character, such as: https://evil.com?|calc.exe.

cc @633kh4ck @mbaraniak-exodus

thymikee avatar Nov 12 '25 07:11 thymikee

@thymikee, The fix seems reasonable, unless you switch in the future to a new version of open, which uses PS underneath. Then you will need escape also $ (, etc. Be aware of (non-default) delayed expansion, which will make such syntax possible !VAR!

mbaraniak-exodus avatar Nov 12 '25 15:11 mbaraniak-exodus

For posterity: this is likely still fragile, but better than it was.

On a side note, this can (still) be exploited to exfiltrate some environment variables; possibilities are more limited, though. For example, https://example.com/?a=%¾TA% is encoded to https://example.com/?a=%25%C2%BETA%25 (note %BETA%).

633kh4ck avatar Nov 12 '25 18:11 633kh4ck