This week's release introduces new detections for a critical authentication bypass vulnerability in Fortinet products (CVE-2025-59718), alongside three new generic detection rules designed to identify and block HTTP Parameter Pollution attempts. Additionally, this release includes targeted protection for a high-impact unrestricted file upload vulnerability in Magento and Adobe Commerce.
Key Findings
-
CVE-2025-59718: An improper cryptographic signature verification vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication using a maliciously crafted SAML message, if that feature is enabled on the device.
-
Magento 2 - Unrestricted File Upload: A critical flaw in Magento and Adobe Commerce allows unauthenticated attackers to bypass security checks and upload malicious files to the server, potentially leading to Remote Code Execution (RCE).
Impact
Successful exploitation of the Fortinet and Magento vulnerabilities could allow unauthenticated attackers to gain administrative control or deploy webshells, leading to complete server compromise and data theft.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Generic Rules - Parameter Pollution - Body Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A Generic Rules - Parameter Pollution - Header - Form Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A Generic Rules - Parameter Pollution - URI Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A Magento 2 - Unrestricted file upload Log Block This is a new detection. Cloudflare Managed Ruleset N/A Fortinet FortiCloud SSO - Authentication Bypass - CVE:CVE-2025-59718 Log Block This is a new detection. -
Announcement Date Release Date Release Behavior Legacy Rule ID Rule ID Description Comments 2026-03-30 2026-04-06 Log N/A Generic Rules - Command Execution - 5 - Body This is a new detection. 2026-03-30 2026-04-06 Log N/A Generic Rules - Command Execution - 5 - Header This is a new detection. 2026-03-30 2026-04-06 Log N/A Generic Rules - Command Execution - 5 - URI This is a new detection. 2026-03-30 2026-04-06 Log N/A MCP Server - Remote Code Execution - CVE:CVE-2026-23744 This is a new detection. 2026-03-30 2026-04-06 Log N/A XSS - OnEvents - Cookies This is a new detection. 2026-03-30 2026-04-06 Log N/A SQLi - Evasion - Body This is a new detection. 2026-03-30 2026-04-06 Log N/A SQLi - Evasion - Headers This is a new detection. 2026-03-30 2026-04-06 Log N/A SQLi - Evasion - URI This is a new detection. 2026-03-30 2026-04-06 Log N/A SQLi - LIKE 3 - Body This is a new detection. 2026-03-30 2026-04-06 Log N/A SSQLi - LIKE 3 - URI This is a new detection. 2026-03-30 2026-04-06 Log N/A SQLi - UNION - 2 - Body This is a new detection. 2026-03-30 2026-04-06 Log N/A SQLi - UNION - 2 - URI This is a new detection. 2026-03-30 2026-04-06 Log N/A SolarWinds - Auth Bypass - CVE:CVE-2025-40552 This is a new detection.
This week's release focuses on new improvements to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Command Injection - Generic 9 - URI Vector Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A Command Injection - Generic 9 - Header Vector Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A Command Injection - Generic 9 - Body Vector Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132 (beta) Log Block This rule has been merged into the original rule "PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132" (ID:
This week's release introduces new detections for vulnerabilities in Ivanti Endpoint Manager Mobile (CVE-2026-1281 and CVE-2026-1340), alongside a new generic detection rule designed to identify and block Cross-Site Scripting (XSS) injection attempts within the
Content-Security-Policy(CSP) HTTP request header.Key Findings
- CVE-2026-1281 & CVE-2026-1340: Ivanti Endpoint Manager Mobile processes HTTP requests through Apache RevwriteMap directives that pass user-controlled input to Bash scripts (
/mi/bin/map-appstore-urland/mi/bin/map-aft-store-url). Bash scripts do not sanitize user input and are vulnerable to shell arithmetic expansion thereby allowing attackers to achieve unauthenticated remote code execution. - Generic XSS in CSP Header: This rule identifies malicious payloads embedded within the request's
Content-Security-Policyheader. It specifically targets scenarios where web frameworks or applications trust and extract values directly from the CSP header in the incoming request without sufficient validation. Attackers can provide crafted header values to inject scripts or malicious directives that are subsequently processed by the server.
Impact
Successful exploitation of Ivanti EPMM vulnerability allows unauthenticated remote code execution and generic XSS in CSP header allows attackers to inject malicious scripts during page rendering. In environments using server-side caching, this poisoned XSS content can subsequently be cached and automatically served to all visitors.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Ivanti EPMM - Code Injection - CVE:CVE-2026-1281 CVE:CVE-2026-1340 Log Block This is a new detection. Cloudflare Managed Ruleset N/A Anomaly:Header:Content-Security-Policy N/A Block This is a new detection. - CVE-2026-1281 & CVE-2026-1340: Ivanti Endpoint Manager Mobile processes HTTP requests through Apache RevwriteMap directives that pass user-controlled input to Bash scripts (
This week's release introduces new detections for vulnerabilities in SmarterTools SmarterMail (CVE-2025-52691 and CVE-2026-23760), alongside improvements to an existing Command Injection (nslookup) detection to enhance coverage.
Key Findings
- CVE-2025-52691: SmarterTools SmarterMail mail server is vulnerable to Arbitrary File Upload, allowing an unauthenticated attacker to upload files to any location on the mail server, potentially enabling remote code execution.
- CVE-2026-23760: SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API permitting unaunthenticated to reset system administrator accounts failing to verify existing password or reset token.
Impact
Successful exploitation of these SmarterMail vulnerabilities could lead to full system compromise or unauthorized administrative access to mail servers. Administrators are strongly encouraged to apply vendor patches without delay.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A SmarterMail - Arbitrary File Upload - CVE-2025-52691 Log Block This is a new detection. Cloudflare Managed Ruleset N/A SmarterMail - Authentication Bypass - CVE-2026-23760 Log Block This is a new detection. Cloudflare Managed Ruleset N/A Command Injection - Nslookup - Beta Log Block This rule is merged into the original rule "Command Injection - Nslookup" (ID:
This week’s release introduces new detections for CVE-2025-68645 and CVE-2025-31125.
Key Findings
- CVE-2025-68645: A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 allows unauthenticated remote attackers to craft requests to the
/h/restendpoint, improperly influence internal dispatching, and include arbitrary files from the WebRoot directory. - CVE-2025-31125: Vite, the JavaScript frontend tooling framework, exposes content of non-allowed files via
?inline&importwhen its development server is network-exposed, enabling unauthorized attackers to read arbitrary files and potentially leak sensitive information.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Zimbra - Local File Inclusion - CVE:CVE-2025-68645 Log Block This is a new detection. Cloudflare Managed Ruleset N/A Vite - WASM Import Path Traversal - CVE:CVE-2025-31125 Log Block This is a new detection. - CVE-2025-68645: A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite (ZCS) 10.0 and 10.1 allows unauthenticated remote attackers to craft requests to the
This week’s release changes the rule action from BLOCK to Disabled for Anomaly:Header:User-Agent - Fake Google Bot.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Anomaly:Header:User-Agent - Fake Google Bot Enabled Disabled We are changing the action for this rule from BLOCK to Disabled
This week’s release introduces new detections for CVE-2025-64459 and CVE-2025-24893.
Key Findings
- CVE-2025-64459: Django versions prior to 5.1.14, 5.2.8, and 4.2.26 are vulnerable to SQL injection via crafted dictionaries passed to QuerySet methods and the
Q()class. - CVE-2025-24893: XWiki allows unauthenticated remote code execution through crafted requests to the SolrSearch endpoint, affecting the entire installation.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A XWiki - Remote Code Execution - CVE:CVE-2025-24893 2 Log Block This is a new detection. Cloudflare Managed Ruleset N/A Django SQLI - CVE:CVE-2025-64459 Log Block This is a new detection. Cloudflare Managed Ruleset N/A NoSQL, MongoDB - SQLi - Comparison - 2 Block Block Rule metadata description refined. Detection unchanged. - CVE-2025-64459: Django versions prior to 5.1.14, 5.2.8, and 4.2.26 are vulnerable to SQL injection via crafted dictionaries passed to QuerySet methods and the
This week’s release introduces new detections for denial-of-service attempts targeting React CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗).
Key Findings
- CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗) affects
react-server-dom-parcel,react-server-dom-turbopack, andreact-server-dom-webpackpackages. - Attackers can send crafted HTTP requests to Server Function endpoints, causing server crashes, out-of-memory exceptions, or excessive CPU usage.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A React Server - DOS - CVE:CVE-2026-23864 - 1 N/A Block This is a new detection. Cloudflare Managed Ruleset N/A React Server - DOS - CVE:CVE-2026-23864 - 2 N/A Block This is a new detection. Cloudflare Managed Ruleset N/A React Server - DOS - CVE:CVE-2026-23864 - 3 N/A Block This is a new detection. - CVE-2026-23864 (https://www.cve.org/CVERecord?id=CVE-2026-23864 ↗) affects
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL injection.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A SQLi - Comment - Beta Log Block This rule is merged into the original rule "SQLi - Comment" (ID: Cloudflare Managed Ruleset N/A SQLi - Comparison - Beta Log Block This rule is merged into the original rule "SQLi - Comparison" (ID:
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A SQLi - String Function - Beta Log Block This rule is merged into the original rule "SQLi - String Function" (ID: Cloudflare Managed Ruleset N/A SQLi - Sub Query - Beta Log Block This rule is merged into the original rule "SQLi - Sub Query" (ID:
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A SQLi - AND/OR MAKE_SET/ELT - Beta Log Block This rule is merged into the original rule "SQLi - AND/OR MAKE_SET/ELT" (ID: Cloudflare Managed Ruleset N/A SQLi - Benchmark Function - Beta Log Block This rule is merged into the original rule "SQLi - Benchmark Function" (ID:
This week's release focuses on improvements to existing detections to enhance coverage.
Key Findings
- Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Atlassian Confluence - Code Injection - CVE:CVE-2021-26084 - Beta Log Block This rule is merged into the original rule "Atlassian Confluence - Code Injection - CVE:CVE-2021-26084" (ID: Cloudflare Managed Ruleset N/A PostgreSQL - SQLi - Copy - Beta Log Block This rule is merged into the original rule "PostgreSQL - SQLi - COPY" (ID: Cloudflare Managed Ruleset N/A Generic Rules - Command Execution - Body Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A Generic Rules - Command Execution - Header Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A Generic Rules - Command Execution - URI Log Disabled This is a new detection. Cloudflare Managed Ruleset N/A SQLi - Tautology - URI - Beta Log Block This rule is merged into the original rule "SQLi - Tautology - URI" (ID: Cloudflare Managed Ruleset N/A SQLi - WaitFor Function - Beta Log Block This rule is merged into the original rule "SQLi - WaitFor Function" (ID: Cloudflare Managed Ruleset N/A SQLi - AND/OR Digit Operator Digit 2 - Beta Log Block This rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit" (ID: Cloudflare Managed Ruleset N/A SQLi - Equation 2 - Beta Log Block This rule is merged into the original rule "SQLi - Equation" (ID:
This emergency release introduces rules for CVE-2025-55183 and CVE-2025-55184, targeting server-side function exposure and resource-exhaustion patterns, respectively.
Key Findings
Added coverage for Leaking Server Functions (CVE-2025-55183) and React Function DoS detection (CVE-2025-55184).
Impact
These updates strengthen protection for server-function abuse techniques (CVE-2025-55183, CVE-2025-55184) that may expose internal logic or disrupt application availability.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A React - Leaking Server Functions - CVE:CVE-2025-55183 N/A Block This was labeled as Generic - Server Function Source Code Exposure. Cloudflare Free Ruleset N/A React - Leaking Server Functions - CVE:CVE-2025-55183 N/A Block This was labeled as Generic - Server Function Source Code Exposure. Cloudflare Managed Ruleset N/A React - DoS - CVE:CVE-2025-55184 N/A Disabled This was labeled as Generic – Server Function Resource Exhaustion.
This additional week's emergency release introduces improvements to our existing rule for React – Remote Code Execution – CVE-2025-55182 - 2, along with two new generic detections covering server-side function exposure and resource-exhaustion patterns.
Key Findings
Enhanced detection logic for React – RCE – CVE-2025-55182, added Generic – Server Function Source Code Exposure, and added Generic – Server Function Resource Exhaustion.
Impact
These updates strengthen protection against React RCE exploitation attempts and broaden coverage for common server-function abuse techniques that may expose internal logic or disrupt application availability.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A React - Remote Code Execution - CVE:CVE-2025-55182 - 2 N/A Block This is an improved detection. Cloudflare Free Ruleset N/A React - Remote Code Execution - CVE:CVE-2025-55182 - 2 N/A Block This is an improved detection. Cloudflare Managed Ruleset N/A Generic - Server Function Source Code Exposure N/A Block This is a new detection. Cloudflare Free Ruleset N/A Generic - Server Function Source Code Exposure N/A Block This is a new detection. Cloudflare Managed Ruleset N/A Generic - Server Function Resource Exhaustion N/A Disabled This is a new detection.
Cloudflare WAF now inspects request-payload size of up to 1 MB across all plans to enhance our detection capabilities for React RCE (CVE-2025-55182).
Key Findings
React payloads commonly have a default maximum size of 1 MB. Cloudflare WAF previously inspected up to 128 KB on Enterprise plans, with even lower limits on other plans.
Update: We later reinstated the maximum request-payload size the Cloudflare WAF inspects. Refer to Updating the WAF maximum payload values for details.
We are reinstating the maximum request-payload size the Cloudflare WAF inspects, with WAF on Enterprise zones inspecting up to 128 KB.
Key Findings
On December 5, 2025, we initially attempted to increase the maximum WAF payload limit to 1 MB across all plans. However, an automatic rollout for all customers proved impractical because the increase led to a surge in false positives for existing managed rules.
This issue was particularly notable within the Cloudflare Managed Ruleset and the Cloudflare OWASP Core Ruleset, impacting customer traffic.
Impact
Customers on paid plans can increase the limit to 1 MB for any of their zones by contacting Cloudflare Support. Free zones are already protected up to 1 MB and do not require any action.
The WAF rule deployed yesterday to block unsafe deserialization-based RCE has been updated. The rule description now reads “React – RCE – CVE-2025-55182”, explicitly mapping to the recently disclosed React Server Components vulnerability. Detection logic remains unchanged.
Key Findings
Rule description updated to reference React – RCE – CVE-2025-55182 while retaining existing unsafe-deserialization detection.
Impact
Improved classification and traceability with no change to coverage against remote code execution attempts.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A React - RCE - CVE:CVE-2025-55182 N/A Block Rule metadata description changed. Detection unchanged. Cloudflare Free Ruleset N/A React - RCE - CVE:CVE-2025-55182 N/A Block Rule metadata description changed. Detection unchanged.
This week's emergency release introduces a new rule to block a critical RCE vulnerability in widely-used web frameworks through unsafe deserialization patterns.
Key Findings
New WAF rule deployed for RCE Generic Framework to block malicious POST requests containing unsafe deserialization patterns. If successfully exploited, this vulnerability allows attackers with network access via HTTP to execute arbitrary code remotely.
Impact
- Successful exploitation allows unauthenticated attackers to execute arbitrary code remotely through crafted serialization payloads, enabling complete system compromise, data exfiltration, and potential lateral movement within affected environments.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A RCE Generic - Framework N/A Block This is a new detection. Cloudflare Free Ruleset N/A RCE Generic - Framework N/A Block This is a new detection.
This week’s release introduces new detections for remote code execution attempts targeting Monsta FTP (CVE-2025-34299), alongside improvements to an existing XSS detection to enhance coverage.
Key Findings
- CVE-2025-34299 is a critical remote code execution flaw in Monsta FTP, arising from improper handling of user-supplied parameters within the file-handling interface. Certain builds allow crafted requests to bypass sanitization and reach backend PHP functions that execute arbitrary commands. Attackers can send manipulated parameters through the web panel to trigger command execution within the application’s runtime environment.
Impact
If exploited, the vulnerability enables full remote command execution on the underlying server, allowing takeover of the hosting environment, unauthorized file access, and potential lateral movement. As the flaw can be triggered without authentication on exposed Monsta FTP instances, it represents a severe risk for publicly reachable deployments.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Monsta FTP - Remote Code Execution - CVE:CVE-2025-34299 Log Block This is a new detection Cloudflare Managed Ruleset N/A XSS - JS Context Escape - Beta Log Block This rule is merged into the original rule "XSS - JS Context Escape" (ID:
This week highlights enhancements to detection signatures improving coverage for vulnerabilities in FortiWeb, linked to CVE-2025-64446, alongside new detection logic expanding protection against PHP Wrapper Injection techniques.
Key Findings
This vulnerability enables an unauthenticated attacker to bypass access controls by abusing the
CGIINFOheader. The latest update strengthens detection logic to ensure a reliable identification of crafted requests attempting to exploit this flaw.Impact
- FortiWeb (CVE-2025-64446): Exploitation allows a remote unauthenticated adversary to circumvent authentication mechanisms by sending a manipulated
CGIINFOheader to FortiWeb’s backend CGI handler. Successful exploitation grants unintended access to restricted administrative functionality, potentially enabling configuration tampering or system-level actions.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A FortiWeb - Authentication Bypass via CGIINFO Header - CVE:CVE-2025-64446 Log Block This is a new detection Cloudflare Managed Ruleset N/A PHP Wrapper Injection - Body - Beta Log Disabled This rule has been merged into the original rule "PHP Wrapper Injection - Body" (ID: Cloudflare Managed Ruleset N/A PHP Wrapper Injection - URI - Beta Log Disabled This rule has been merged into the original rule "PHP Wrapper Injection - URI" (ID: - FortiWeb (CVE-2025-64446): Exploitation allows a remote unauthenticated adversary to circumvent authentication mechanisms by sending a manipulated
This week’s release introduces a critical detection for CVE-2025-61757, a vulnerability in the Oracle Identity Manager REST WebServices component.
Key Findings
This flaw allows unauthenticated attackers with network access over HTTP to fully compromise the Identity Manager, potentially leading to a complete takeover.
Impact
Oracle Identity Manager (CVE-2025-61757): Exploitation could allow an unauthenticated remote attacker to bypass security checks by sending specially crafted requests to the application's message processor. This enables the creation of arbitrary employee accounts, which can be leveraged to modify system configurations and achieve full system compromise.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Oracle Identity Manager - Pre-Auth RCE - CVE:CVE-2025-61757 N/A Block This is a new detection.
This week highlights enhancements to detection signatures improving coverage for vulnerabilities in DELMIA Apriso, linked to CVE-2025-6205.
Key Findings
This vulnerability allows unauthenticated attackers to gain privileged access to the application. The latest update provides enhanced detection logic for resilient protection against exploitation attempts.
Impact
- DELMIA Apriso (CVE-2025-6205): Exploitation could allow an unauthenticated remote attacker to bypass security checks by sending specially crafted requests to the application's message processor. This enables the creation of arbitrary employee accounts, which can be leveraged to modify system configurations and achieve full system compromise.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A DELMIA Apriso - Auth Bypass - CVE:CVE-2025-6205 Log Block This is a new detection. Cloudflare Managed Ruleset N/A PHP Wrapper Injection - Body N/A Disabled Rule metadata description refined. Detection unchanged. Cloudflare Managed Ruleset N/A PHP Wrapper Injection - URI N/A Disabled Rule metadata description refined. Detection unchanged.
This week’s release introduces new detections for Prototype Pollution across three common vectors: URI, Body, and Header/Form.
Key Findings
- These attacks can affect both API and web applications by altering normal behavior or bypassing security controls.
Impact
Exploitation may allow attackers to change internal logic or cause unexpected behavior in applications using JavaScript or Node.js frameworks. Developers should sanitize input keys and avoid merging untrusted data structures.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A Generic Rules - Prototype Pollution - URI Log Disabled This is a new detection Cloudflare Managed Ruleset N/A Generic Rules - Prototype Pollution - Body Log Disabled This is a new detection Cloudflare Managed Ruleset N/A Generic Rules - Prototype Pollution - Header - Form Log Disabled This is a new detection
This week’s emergency release introduces a new detection signature that enhances coverage for a critical vulnerability in the React Native Metro Development Server, tracked as CVE-2025-11953.
Key Findings
The Metro Development Server exposes an HTTP endpoint that is vulnerable to OS command injection (CWE-78). An unauthenticated network attacker can send a crafted request to this endpoint and execute arbitrary commands on the host running Metro. The vulnerability affects Metro/cli-server-api builds used by React Native Community CLI in pre-patch development releases.
Impact
Successful exploitation of CVE-2025-11953 may result in remote command execution on developer workstations or CI/build agents, leading to credential and secret exposure, source tampering, and potential lateral movement into internal networks. Administrators and developers are strongly advised to apply the vendor's patches and restrict Metro’s network exposure to reduce this risk.
Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments Cloudflare Managed Ruleset N/A React Native Metro - Command Injection - CVE:CVE-2025-11953 N/A Block This is a New Detection