From 26295798bc37ab1a69ca13c73f4cf29567564893 Mon Sep 17 00:00:00 2001
From: Nitin Chaudhary <nitchaudhary@microsoft.com>
Date: Thu, 9 Apr 2026 13:01:24 +0530
Subject: [PATCH 1/2] fix: resolve MSRC command/argument injection
 vulnerabilities in CLI

- MSRC 112511: Replace execSync with execFileSync in msbuildtools.ts cleanProject()
  to prevent shell command injection via slnFile parameter (CWE-78)
- MSRC 112495/112540: Replace .split(' ') anti-pattern with discrete argument array
  in winappdeploytool.ts uninstallAppPackage() to prevent argument injection via
  appName parameter (CWE-88)
- Also fixes {$targetDevice.ip} syntax bug (was never interpolating the IP address)
---
 .../cli/src/utils/msbuildtools.ts                      | 10 +++++-----
 .../cli/src/utils/winappdeploytool.ts                  |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/@react-native-windows/cli/src/utils/msbuildtools.ts b/packages/@react-native-windows/cli/src/utils/msbuildtools.ts
index b4cae081f1f..479fbed6974 100644
--- a/packages/@react-native-windows/cli/src/utils/msbuildtools.ts
+++ b/packages/@react-native-windows/cli/src/utils/msbuildtools.ts
@@ -45,11 +45,11 @@ export default class MSBuildTools {
   }
 
   cleanProject(slnFile: string) {
-    const cmd = `"${path.join(
-      this.msbuildPath(),
-      'msbuild.exe',
-    )}" "${slnFile}" /t:Clean`;
-    const results = child_process.execSync(cmd).toString().split(EOL);
+    const msbuild = path.join(this.msbuildPath(), 'msbuild.exe');
+    const results = child_process
+      .execFileSync(msbuild, [slnFile, '/t:Clean'])
+      .toString()
+      .split(EOL);
     results.forEach(result => console.log(chalk.white(result)));
   }
 
diff --git a/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts b/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts
index 4ba83172700..b2cbeb526f4 100644
--- a/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts
+++ b/packages/@react-native-windows/cli/src/utils/winappdeploytool.ts
@@ -157,7 +157,7 @@ export default class WinAppDeployTool {
       newSpinner(text),
       text,
       this.path,
-      `uninstall -package ${appName} -ip {$targetDevice.ip}`.split(' '),
+      ['uninstall', '-package', appName, '-ip', targetDevice.ip],
       verbose,
       'UninstallAppOnDeviceFailure',
     );

From be3361c9c595cbd577ce27993ff47a9510b418d9 Mon Sep 17 00:00:00 2001
From: Nitin Chaudhary <nitchaudhary@microsoft.com>
Date: Tue, 14 Apr 2026 21:02:45 +0530
Subject: [PATCH 2/2] Change files

---
 ...e-windows-cli-9830d0c0-7418-4c74-bfc3-f1db60545711.json | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 change/@react-native-windows-cli-9830d0c0-7418-4c74-bfc3-f1db60545711.json

diff --git a/change/@react-native-windows-cli-9830d0c0-7418-4c74-bfc3-f1db60545711.json b/change/@react-native-windows-cli-9830d0c0-7418-4c74-bfc3-f1db60545711.json
new file mode 100644
index 00000000000..1bf851f10b2
--- /dev/null
+++ b/change/@react-native-windows-cli-9830d0c0-7418-4c74-bfc3-f1db60545711.json
@@ -0,0 +1,7 @@
+{
+  "type": "prerelease",
+  "comment": "Fix command injection in cleanProject() (CWE-78) and argument injection in uninstallAppPackage() (CWE-88)",
+  "packageName": "@react-native-windows/cli",
+  "email": "nitchaudhary@microsoft.com",
+  "dependentChangeType": "patch"
+}