diff --git a/.changeset/clean-spoons-push.md b/.changeset/clean-spoons-push.md
new file mode 100644
index 0000000000..5577878e73
--- /dev/null
+++ b/.changeset/clean-spoons-push.md
@@ -0,0 +1,6 @@
+---
+"@rnx-kit/cli": patch
+---
+
+Ensure `host` is set to `localhost` by default when starting the dev server,
+otherwise it will listen to external connections.
diff --git a/packages/cli/src/start.ts b/packages/cli/src/start.ts
index 98901de997..837a10db6d 100644
--- a/packages/cli/src/start.ts
+++ b/packages/cli/src/start.ts
@@ -58,6 +58,12 @@ export async function rnxStart(
     }
   }
 
+  // CVE-2025-11953: Ensure `host` is set to `localhost` by default, otherwise
+  // it will listen to external connections.
+  if (!args.host) {
+    args.host = "127.0.0.1";
+  }
+
   // load Metro configuration, applying overrides from the command line
   const metroConfig = await loadMetroConfig(ctx, {
     ...args,
@@ -109,7 +115,7 @@ export async function rnxStart(
 
   // create middleware -- a collection of plugins which handle incoming
   // http(s) requests, routing them to static pages or JS functions.
-  const host = args.host?.length ? args.host : "localhost";
+  const host = args.host;
   const devServerUrl = `${scheme}://${host}:${port}`;
   const devServer = createDevServerMiddleware({ host, port, watchFolders });