Apache Syncope Patched Security Vulnerability that Affected Multiple Versions of the Identity & Access Management Platform
Apache Syncope Patched Security Vulnerability Exposes User Password via Hardcoded AES Key
Continue ReadingInfosec
Shai-Hulud’s ‘Second Coming’ npm Malware Infects Popular Developer Packages
Shai-Hulud malware campaign, npm Packages
Continue Reading
Microsoft Patched Critical Azure Bastion Elevation of Privilege Vulnerability
Azure Bastion Elevation of Privilege Vulnerability CVE-2025-49752
Continue Reading
SonicWall SSLVPN Vulnerability Allows Remote Attackers to Crash Firewalls
Summary : A security flaw was discovered in SonicWall’s SonicOS SSLVPN component, affecting both hardware and virtual firewall appliances across Gen7 and Gen8 product lines.
| OEM | SonicWall |
| Severity | High |
| CVSS Score | 7.5 |
| CVEs | CVE-2025-40601 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The SonicWall vulnerability allows remote attackers, without any authentication, to crash into affected firewalls by sending specially crafted traffic to the SSLVPN service. There are no public exploitation in the wild but it is strongly advised customers to apply the available patches immediately to minimize risk.
In simple terms, the component fails to validate the size or structure of certain data before copying it to a stack‐allocated buffer. Under malicious input, the overflow can overwrite the stack, leading the firewall device to crash.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Stack-based buffer overflow in SonicOS SSLVPN service | CVE-2025-40601 | SonicWall SonicOS Firewalls (Gen7 and Gen8 Hardware and Virtual) | High | 7.3.1-7013 (Gen7), 8.0.3-8011 (Gen8) and latest one |
Technical Summary
The vulnerability occurs due to a stack-based buffer overflow affecting the SSLVPN service of SonicOS. Devices with the SSLVPN interface enabled are vulnerable.
This flaw permits remote unauthenticated attackers to trigger a denial-of-service condition, leading to a full firewall crash and service outage.
The problem impacts a wide range of SonicWall firewall models including Gen7 (TZ270, NSa 2700 series etc) and Gen8 (TZ280, NSa 2800 series etc). Administrators are urged to upgrade to the latest versions and restrict SSLVPN access to trusted IPs or disable external-facing SSLVPN portals until remediation is complete.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-40601 | SonicWall SonicOS SSLVPN service | Stack-based buffer overflow allows remote unauthenticated attackers to send crafted requests causing a denial-of-service crash of the firewall. Only devices with SSLVPN enabled are vulnerable. | Remote denial-of-service |
Recommendations
Update SonicWall immediately to the following fixed versions:
- Gen7 Hardware Firewalls: 7.3.1-7013 and higher versions
- Gen7 Virtual Firewalls : 7.3.1-7013 and higher versions
- Gen8 Firewalls: 8.0.3-8011 and higher.
You can follow some below workaround here
- Temporarily disable the SSLVPN service if possible or restrict SSLVPN access only to trusted source IP addresses.
- Avoid exposing the SSLVPN service to untrusted internet sources until patched.
- Continuously monitor firewall and network logs for unusual SSLVPN activity or connection attempts that might indicate probing or exploitation attempts.
Conclusion:
There has no evidence of active exploitation for this vulnerability, but the issue makes unpatched firewalls highly attractive targets for threat actors capable of causing major network outages.
Organizations relying on SonicWall should prioritize applying the latest patches and review their SSLVPN exposure as part of broader incident prevention. For those unable to patch immediately, restricting or disabling external SSLVPN access is strongly recommended until fixes can be deployed.
References:
Chrome V8 Type Confusion Vulnerability Actively Exploited In The Wild
Summary : Security advisory: Google has released an urgent security update to patch two high-severity Type Confusion vulnerabilities in the V8 JavaScript engine. The CVEs vulnerabilities are CVE-2025-13223, CVE-2025-13224 .
| OEM | |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-13223, CVE-2025-13224 |
| POC Available | No |
| Actively Exploited | Yes |
| Exploited in Wild | Yes |
| Advisory Version | 1.0 |
Overview
One of these vulnerability (CVE-2025-13223) is already being actively exploited in the wild, allowing attackers to potentially execute arbitrary code through malicious web content. which attackers can bypass Chrome’s sandbox, steal sensitive data, or deploy malware. The fixes have been rolled out for Chrome Stable 142.0.7444.175/.176 across Windows, Mac, and Linux.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Type Confusion Vulnerability in V8 JavaScript Engine | CVE-2025-13223 | Google Chrome | High | v142.0.7444.175 / v142.0.7444.176 |
| Type Confusion Vulnerability in V8 JavaScript Engine | CVE-2025-13224 | Google Chrome | High | v142.0.7444.175 / v142.0.7444.176 |
Technical Summary
Both vulnerabilities occur from Type Confusion vulnerabilities in Chrome’s V8 engine, where incorrect data-type handling leads to memory corruption and possible code execution. The CVE-2025-13223 is already being exploited in the wild and may involve APT-driven activity.
Another vulnerability was found internally through Google’s Big Sleep fuzzing system as part of ongoing proactive defense.
These weaknesses can allow attackers to bypass browser security boundaries and execute malicious actions remotely. Urgent need for users and administrators to apply Chrome’s latest security updates immediately.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-13223 | Google Chrome (V8 Engine) | Type confusion due to improper type handling in V8 allowing memory corruption. | Remote Code Execution, Sandbox Escape |
| CVE-2025-13224 | Google Chrome (V8 Engine) | Type confusion triggered during script execution, discovered via fuzzing | Remote Code Execution, Browser Crash |
Remediation:
- Immediate Action: Users and organization administrators should update Chrome immediately to the following patched versions:
- Windows: 142.0.7444.175 / 142.0.7444.176
- MacOS: 142.0.7444.176
- Linux: 142.0.7444.175
Here are some recommendations below
- Enforce Chrome auto-updates on all endpoints via enterprise policies.
- Monitor browser crash logs and unusual behaviors tied to JavaScript execution.
- Run updated vulnerability & patch management tools to ensure full endpoint compliance.
- Educate users to avoid suspicious links and unknown websites during active exploitation events
Conclusion:
With Chrome being the most widely used browser globally, prompt updates are essential for the new security vulnerabilities. Maintaining browsers at the latest versions remains the strongest defenses against modern web-based attacks in modern cyber world.
References:
Zoho Analytics On-Premise Critical SQL Injection Vulnerability Allows Attackers to Takeover Data
Zoho Analytics on-premise installations were recently found to have a SQL Injection vulnerability- CVE-2025-8324 that exposes enterprise environments to risk. The flaw is prevalent in all Zohocorp ManageEngine products, built prior to the most recent patch and enables attackers to exploit weaknesses in the application’s input validation logic.
The flaw enables attackers to execute queries without authentication mainly arbitrary SQL injection, without prior authentication, leading to unauthorized data exposure and account takeovers.
| OEM | Zoho |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-8324 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview Malicious actors can launch attacks remotely and takeover user accounts, sensitive analytics data and any connected business intelligence workflows. Administrators are urged to update to the latest version to mitigate this risk.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Unauthenticated SQL Injection | CVE-2025-8324 | Zoho Analytics On-Premise | Critical | 6171 and later |
Technical Summary
At the root of this flaw is improper input validation for user-supplied parameters within specific URLs of the Zoho Analytics Plus backend.
This allows arbitrary SQL queries to be executed by anyone with network access to the service, even if they have no login credentials. Zoho has enforced input checks and removing vulnerable backend components altogether.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-8324 | Zoho Analytics Plus On-Premise | An unauthenticated SQL injection vulnerability caused by improper input validation allowing attackers to inject arbitrary SQL queries remotely without authentication. | Account takeover, user data leak |
Recommendations
- Organizations must update Zoho Analytics Plus On-Premises immediately to the Build 6171 version or later.
Here are some recommendations you can follow
- Enforce patch deployment across all managed analytics instances to ensure consistency and security.
- Continuously monitor logs for unusual SQL query activities or access attempts that could indicate exploitation attempts.
Conclusion:
The Zoho Analytics On-Premise deployments, could enable full data and account compromise through unauthenticated SQL injection. CVE-2025-8324 represents a critical security risk, classified at the highest severity level due to its potential impact and ease of exploitation.
Although no active exploitation has been detected to date, the severity of the flaw demands immediate attention. Immediate patching is essential to secure environments and prevent any chance of data compromise or unauthorized access.
References:
Evolving Phishing Scams & Cost Incurred by Organization’s in 2025
Any phishing scams that occur, the purpose is to trick unsuspecting victims or organizations into taking a specific action and that can range from clicking on malicious links, downloading harmful files or sharing login credentials. Sometimes the effectiveness of phishing attacks stems from their use of social engineering techniques that have the ability to exploit human psychology or behavior. In 2025 we have witnessed the how evolving phishing scams that have affected organizations financially.
Often we see phishing scams create a sense of urgency, or curiosity thereby prompting victims to act quickly without verifying the authenticity of incoming request. Now with evolving technology, phishing tactics are also evolving making these attacks increasingly sophisticated, hard to detect. In coming years we will witness how AI will power more phishing attacks, including text-based impersonations to deepfake communications. These will be more cheap and popular with threat actors.
Cyber security researchers found that there is a link between ransomware, malware and form encryption and most were caused by.
14% Malicious websites
54% Phishing
27% Poor user pactices / gullibility
26% Lack of cybersecurity training
A survey by Statista found that ransomware infections were caused by:
- 54% Phishing
- 27% Poor user pactices / gullibility
- 26% Lack of cybersecurity training
- 14% Malicious websites
In this blog we will highlight latest phishing statistics that emerged in 2025 ,affecting organizations and phishing scams are changing.
As per APWG report found on Unique phishing sites. This is a primary measure of reported phishing across the globe. This is determined by the unique bases of phishing URLs found in phishing emails reported to APWG’s repository.
In the first quarter of 2025, APWG observed 1,003,924 phishing attacks. This was the largest quarterly
total since 1.07 million were observed in Q4 2023. The number has climbed steadily over the last year:
from 877,536 in Q2 2024, to 932,923 in Q3, to 989,123 in Q4. One of the reason cited being advancement in AI is also making it easier for criminals to create convincing and personalized phishing lures.
Hoxhunt find alarming statistics on phishing related attack of 2025
| Business email compromise (BEC) | A staggering 64% of businesses report facing BEC attacks in 2024, with a typical financial loss averaging $150,000 per incident. These phishing attacks frequently target employees with access to financial systems, mimicking executives or trusted contacts. |
| Credential phishing | Around 80% of phishing campaigns aim to steal credentials, particularly targeting cloud-based services like Microsoft 365 and Google Workspace. With the growing reliance on cloud platforms, cyber attackers leverage realistic fake login pages to deceive users. |
| HTTPS phishing | An increasing number of phishing sites now use HTTPS to appear legitimate. In 2024, approximately 80% of phishing websites feature HTTPS, complicating detection for users. |
| Voice phishing (vishing) | Vishing attacks are growing in prevalence, with 30% of organizations reporting instances where threat actors used fake calls to impersonate officials or executives. |
| Quishing (QR code phishing) | QR code phishing attacks (quishing) increased by 25% year-over-year, as attackers exploit physical spaces like posters or fake business cards to lure victims. |
| AI-driven attacks | AI is powering phishing attacks, with deepfake impersonations increasing by 15% in the last year. These attacks often target high-value individuals in finance and HR. |
| Multi-channel phishing | Attackers are increasingly exploiting platforms like Slack, Teams, and social media. Around 40% of phishing campaigns now extend beyond email, reflecting a shift to these channels. |
| Government agency impersonation | Phishing emails mimicking government bodies such as the IRS or international tax agencies have increased by 35%. These often involve claims about overdue taxes or fines. |
| Phishing kits | The availability of ready-to-use phishing kits on the dark web has risen by 50%, enabling less sophisticated attackers to deploy high-quality phishing schemes. |
| Brand impersonation | Attackers frequently impersonate well-known brands like Microsoft, Amazon, and Facebook, leveraging user trust. For example, over 44,750 phishing attacks specifically targeted Facebook by embedding its name in domains and subdomains over the past year. |
Cost of Phishing attacks
According to the 2024 IBM / Ponemon Cost of a Data Breach study, the average annual cost of phishing rose by nearly 10% from 2024 to 2023, from $4.45m to $4.88m. That’s the biggest jump since the pandemic.
The IBM study reported the following costs:
- Phishing breaches: $4.88M
- Social engineering: $4.77M
- BEC: $4.67M
The above-listed categories of cyber security breach costs are all related to people-targeted attacks. BEC, social engineering, and stolen credentials often contain a phishing element.
Barracuda research found that email remains the common attack vector for cyber threats and highlighted their key findings:
1 in 4 email messages are malicious or unwanted spam.
83% of malicious Microsoft 365 documents contain QR codes that lead to phishing websites.
20% of companies experience at least one account takeover (ATO) incident each month.
Nearly one-quarter of all HTML attachments are malicious and more than three-quarters of
companies are not actively preventing spoofed emails.
Bitcoin sextortion scams, an emerging trend, account for 12% of malicious PDF attachments.
Nearly half of all companies have not configured a DMARC policy, putting them at risk
of email spoofing, phishing attacks, and business email compromise.
The Barracuda research also found malicious one in four emails are either malicious or unwanted spam and malicious attachment is prevalent in various file.
An alarming 87% of binaries detected were malicious, highlighting the need for strict policies against executable files being sent via email, since they can directly install malware. Despite a relatively low total volume, HTML files have a high malicious rate of 23% and are often used for phishing and credential theft.
The research say that small businesses more vulnerable to email threats, due to limited cybersecurity resources, smaller IT teams and they rely on basic email security solutions. Small business may not have required solutions to handle sophisticated attacks, such as business email compromise (BEC), phishing and ransomware.
How Organizations can strengthen their defense
As organizations embark to strengthen their defenses, it’s crucial they don’t overlook the human element and Cybersecurity hygiene. That definitely starts by identifying security at every step starting from ensuring every user, machine or system that has right to access privileges.
Cybersecurity is as much a cultural issue as it is a technical one, as a single click can compromise an entire organization, behavior starts to shift from compliance to accountability
Whenever there is a successful phishing attack, researchers emphasize that this attack succeeds by exploiting human trust and familiarity with corporate communication formats. Security awareness remains the most vigorous defense as the growing complexity of these campaigns indicates that phishing operations are increasingly automated, data-driven and adaptive.
Conclusion: As organizations move towards adopting AI, so as attackers to continuously refining their tactics, evade traditional security measures. In this scenario organizations must mitigate the risks by adopting a multi-layered approach to email security. This will include all from leveraging AI-driven threat detection, real-time monitoring and user awareness training.
Phishing Detection & DeepPhish
For organizations who reply on unlike traditional rule-based phishing detection, which relies on blacklists and predefined rules. DeepPhish is implemented, that continuously learns from new phishing attempts, making it highly adaptive and effective against evolving threats.
DeepPhish employs a multi-layered AI approach to detect phishing threats and theses include Email and Website Analysis,uses ML algorithms to analyze historical phishing attacks and identify new patterns and NLP helps DeepPhish analyze email content, message tone, and linguistic patterns that phishers use to trick users.
(Source: APWG.org)
(Source: https://www.barracuda.com/reports/2025-email-threats-report)
(Sources: hoxhunt.com)
Amazon Workspace Client for Linux Token Vulnerability Fixed in Version 2025.0
Summary : Amazon patched a vulnerability in the Linux version of its Workspace’s client that improperly handles authentication tokens in versions from 2023.0 through 2024.8.
| OEM | Amazon |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-12779 |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
This flaw allows local users on the same machine such as in shared, multi-user environments to extract valid authentication tokens.
Often used to impersonate other users and gain unauthorized access to their virtual desktop sessions, exposing sensitive data and applications.
The issue does not allow remote exploitation, but it poses a significant risk in workplaces using shared Linux systems for Workspace’s access.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Improper Authentication Token Handling in Amazon WorkSpaces Client | CVE-2025-12779 | Amazon WorkSpaces client for Linux | High | 2025.0 |
Technical Summary
The root cause lies in insecure management of authentication tokens, enabling token extraction by unintended local users. This vulnerability was assigned to high severity, prompting Amazon to issue a fix in the 2025.0 version of the client.
The update improves session isolation and secures token handling, protecting against lateral token theft.
Users and Administrators are strongly advised to upgrade promptly to avoid unauthorized access risks associated with multi-user Linux setups commonly found in corporate or virtual machine environments.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-12779 | Amazon WorkSpaces client for Linux (versions 2023.0 through 2024.8) | Local users on shared Linux machines can extract authentication tokens due to improper token handling, allowing them to access other users’ Workspaces. | Unauthorized access to another user’s workspace |
Recommendations
- Update the Amazon Workspace’s client for Linux immediately to version 2025.0 or later.
Conclusion:
This vulnerability highlights the criticality of robust token security in virtual desktop clients, especially for environments with shared access.
Amazon’s swift patch release underscores the need for continuous vigilance and timely updates to maintain secure remote workspace solutions and prevent privilege escalation through token leakage. Upgrading to the patched version effectively mitigates the exposure and secures user sessions.
References:
AI Surge in CyberSecurity Redefining Threat & Defense; Reshaping Software Development & Security
Currently enterprise Cyber Security strategy with AI has become a game changer, reshaping is critical for both threat and defense. Embracing Gen AI for a robust defensive system empowers organizations to analyze vast amount of data is key requirement for enterprise security where software development is key to enterprise security , embracing ‘security by design’.
In 2024-2025, we have witnessed how mainstream enterprise deployment of AI has changed the strategic cyber security requirement. Thereby creating a strong defense mechanism around enterprise security, redefining the threat landscape and shaping software development.
AI is changing the way we look at products being a risk multiplier. How organization balancing innovation with protection?
AI can track and break commonly used passwords within minutes. So this is scary as more powers are in the hands of hackers, on the other side AI can improve password security again a boon. The Dark Web is already selling Fraud GPT and Worm GPT.
For Organizational cyber security strategy AI is being used now to tackle threats and cyber defense. Again AI has the capability to accelerate the speed of cyber attacks.
So what are leaders deciding when chasing AI based products. The way leaders are looking at products is products that give practical and actionable outlook and being embedded in delivery workflows.
Strategically, this means evolving away from rigid, checkbox-based compliance toward dynamic, adaptive security models that reflect how modern teams really build software—especially in AI-accelerated environments.
As per statistics 2025 witnessed the following AI based cyber attacks.16% of all breaches in 2025 involved attackers using AI. (IBM),and other AI attacks included 37% used phishing attacks and 35% used deepfake attacks. (IBM). 63% of breached organizations had no AI governance policy or were still developing one, highlighting the governance gap around AI adoption (IBM).
OpenText has released their survey and the report entails, AI is rapidly changing the threat landscape for organizations . Organizations are navigating a high-stake balancing act to enable innovation while managing risk.
Here are the key findings
Top AI-related concerns among respondents include data leakage (29%), AI-enabled attacks (27%), and deepfakes (16%).
95% of respondents are confident in their ability to recover from a ransomware attack, but only 15% of those attacked fully recovered their data.
88% allow employees to use GenAI tools, yet less than half (48%) have a formal AI use policy.
Enterprises lead AI governance (52%) compared to SMBs (43%) by having a formal AI policy in place.
52% report increased phishing or ransomware due to AI; 44% have seen deepfake-style impersonation attempts.
Surge in AI Threats via sophisticated attacks
One of the reasons cited by threat researchers is organizations are embracing GenAI, allowing employees to use generative AI tools and few less then 50% have a formal AI-use or data privacy policy in place, the report noted.
This is added with hackers innovative way in tricking using AI, bypassing any defense mechanism which is traditional.
AI tools are now being used to create such convincing phishing emails, fake websites and even deepfake videos to injecting malicious code giving leverage to cyber criminals
In the last few months we witnessed how Ransomware attacks round the world surged and quite complex in nature as third-party service providers or software supply chains were prime targets. The Qantas airline breach and M&S data beach that hit UK’s top retail brand.
While Qantas did not to Information Age whether AI voice deepfakes were used in the breach, the cybercrime group experts believe may be linked to the hack — dubbed ‘Scattered Spider’ — has a track record of using voice-based phishing (or ‘vishing’) in its attacks. This is clear AI being used and surge is quite high in AI based cyber attacks.
AI for Cyber Defense for Organizational Cyber Security Strategy
It is not hackers who are benefiting but for Organizations it is a game changer as AI being used to detect attack at faster pace meaning mean time.
Findings of this survey reinforces that protecting against ransomware now depends not just on internal defenses, but also on how effectively organizations’, partners, and technology providers collaborate to close security gaps before they are exploited.
Key pointer for building pragmatic and strategic choices and this approach starts with embracing security by design approach in developmental life cycle.
- Continuously Embedding security in developer workflows keeping automating, scanning, policy enforcement and anomaly detection in tools used by developers.
- Cybersecurity AI tools are better at identifying patterns and anomalies in large datasets including vulnerabilities. teams have to highly prioritize and contextualize them in term of developing products.
- Supposedly there is an attack and the security tools not able to detect. So continuous testing is mandatory.
- Developers can favor simple solutions that favors pragmatic security patterns and transparency in architecture. In this way trust is developed with clients.
Few important developers keep in focus is to sponsor bug bounties, publish advisories using standards like the Common Security Advisory Framework (CSAF) and provide context on severity and exploitability.
Threat researcher suggest organizations who are building in products accept all vulnerability reports, investigate them, and fix the issues. Any critically important advisory to be used for root cause analysis to improve tools, training and various threat models. Developers are suggested to give feedback for external tools if they help them evolve. Understanding no software can ever be perfect.
Offerings from IntruceptLabs are exactly what you need to develop organizational cyber defense capabilities
Intru360
Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.
Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst. Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.
Here are some features we offer:
- Over 400 third-party and cloud integrations.
- More than 1,100 preconfigured correlation rules.
- Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
- Prebuilt playbooks and automated response capabilities.
(Sources: https://www.mckinsey.com/about-us/new-at-mckinsey-blog/ai-is-the-greatest-threat-and-defense-in-cybersecurity-today)
Sources: https://investors.opentext.com/press-releases/press-releases-details/2025/OpenText-Cybersecurity-2025-Global-Ransomware-Survey-Rising-Confidence-Meets-a-Growing-AI-Threat/default.aspx)
Critical React Native CLI Vulnerability Enables OS Command Injection
Summary: React Native is an open source framework maintained by Meta . A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-11953 |
| POC Available | Yes |
| Actively Exploited | No |
| Advisory Version | 1.0 |
Overview
A critical remote code execution vulnerability in the @react-native-community/cli package, a core toolset used by React Native developers. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on machines running the React Native Metro development server.
The vulnerability comes from unsafe input handling in the /open-url endpoint using the insecure open() function, and a React Native CLI flaw that exposes the server to remote code execution. Immediate updates and mitigations are recommended for all using the affected package versions.
| Vulnerability Name | CVE ID | Product Affected | Severity | Affected Version |
| OS Command Injection | CVE-2025-11953 | @react-native-community/cli @react-native-community/cli-server-api | Critical | @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 |
Technical Summary
The Metro development server’s /open-url HTTP POST endpoint unsafely passes unsanitized user input (url field) as an argument to the open() function from the open NPM package which leads to OS command injection.
On Windows, the vulnerability allows arbitrary shell command execution with full control over parameters via cmd /c start command invocation. On macOS/Linux, arbitrary executables can be launched with limited parameter control. Further exploitation may lead to full RCE, but not confirmed yet. The server binds to all interfaces by default (0.0.0.0), exposing the endpoint externally to unauthenticated network attackers.
| CVE ID | Component Affected | Vulnerability Details | Impact |
| CVE-2025-11953 | Development Server’s /open-url Endpoint | The React Native CLI’s Metro server binds to external interfaces by default and exposes a command injection flaw, letting remote attackers send POST requests to run arbitrary executables or shell commands on Windows. | Remote OS Command Injection |
Recommendations
- Update to @react-native-community/cli-server-api version 20.0.0 or later immediately.
If upgrading is not possible,
- Restrict the Metro server to localhost by adding the flag: –host 127.0.0.1 when starting the server.
- Integrate static and dynamic code analysis tools in development pipelines to detect injection risks early.
How these kind of security flaw can cause damage?
This vulnerability poses a critical threat to React Native developers using the Metro development server due to unauthenticated RCE via network exposure. For any unauthenticated network attacker this is privilege they can weaponize the flaw and send a specially crafted POST request to the server. Then run arbitrary commands.
The attack takes a different turn when it comes to Windows and the exploitation is severe. The attackers can also execute arbitrary shell commands with fully controlled arguments, while on Linux and macOS, it can be widely used to execute arbitrary binaries with limited parameter control.
The vulnerable endpoint, /open-stack-frame, is designed to help developers open a file in their editor at a specific line number when debugging errors. This endpoint accepts POST requests with parameters such as file and lineNumber.
The incident highlight requirement for more rigorous input validation and secure-by-default configurations in developer environments.
What should organizations looks for while selecting a comprehensive tools that can provide thorough combing across their IT environment, networks, applications and cloud infrastructure.
Detecting vulnerabilities, misconfigurations with GaarudNode from Intruceptlabs makes it a go to scanner
- GaarudNode excels at detecting vulnerabilities, misconfigurations, and compliance issues across a wide range of systems and applications.
- Provides a comprehensive security framework that ensures your applications are built, tested, and deployed with confidence.
- Any Application security tools are designed to identify a wide range of vulnerabilities across different stages of the software development lifecycle and other types of security issues.
- GaarudNode can be used for intrusion detection, making it a flexible tool for cybersecurity professionals on a budget.
- Prompt patching and secure server binding are essential to mitigate this type of risk. There is no current evidence of active exploitation, but the ease of exploitation makes this a high priority vulnerability to fix. Continuous, real-time monitoring of vulnerabilities is necessary to stay ahead of threats.
References:
Recent Comments