From 2149cf8821462bd6f89df76a686f239545aeb356 Mon Sep 17 00:00:00 2001
From: Nitin Chaudhary <nitchaudhary@microsoft.com>
Date: Thu, 9 Apr 2026 13:01:24 +0530
Subject: [PATCH] fix: resolve MSRC command/argument injection vulnerabilities
 in CLI

- MSRC 112511: Replace execSync with execFileSync in msbuildtools.ts cleanProject()
  to prevent shell command injection via slnFile parameter (CWE-78)
- MSRC 112495/112540: Replace .split(' ') anti-pattern with discrete argument array
  in winappdeploytool.ts uninstallAppPackage() to prevent argument injection via
  appName parameter (CWE-88)
- Also fixes {$targetDevice.ip} syntax bug (was never interpolating the IP address)
---
 .../cli/src/utils/msbuildtools.ts                      | 10 +++++-----
 .../cli/src/utils/winappdeploytool.ts                  |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/@react-native-windows/cli/src/utils/msbuildtools.ts b/packages/@react-native-windows/cli/src/utils/msbuildtools.ts
index b4cae081f1f..479fbed6974 100644
--- a/packages/@react-native-windows/cli/src/utils/msbuildtools.ts
+++ b/packages/@react-native-windows/cli/src/utils/msbuildtools.ts
@@ -45,11 +45,11 @@ export default class MSBuildTools {
   }
 
   cleanProject(slnFile: string) {
-    const cmd = `"${path.join(
-      this.msbuildPath(),
-      'msbuild.exe',
-    )}" "${slnFile}" /t:Clean`;
-    const results = child_process.execSync(cmd).toString().split(EOL);
+    const msbuild = path.join(this.msbuildPath(), 'msbuild.exe');
+    const results = child_process
+      .execFileSync(msbuild, [slnFile, '/t:Clean'])
+      .toString()
+      .split(EOL);
     results.forEach(result => console.log(chalk.white(result)));
   }
 
diff --git a/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts b/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts
index 4ba83172700..b2cbeb526f4 100644
--- a/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts
+++ b/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts
@@ -157,7 +157,7 @@ export default class WinAppDeployTool {
       newSpinner(text),
       text,
       this.path,
-      `uninstall -package ${appName} -ip {$targetDevice.ip}`.split(' '),
+      ['uninstall', '-package', appName, '-ip', targetDevice.ip],
       verbose,
       'UninstallAppOnDeviceFailure',
     );