Critical Metro4Shell Vulnerability Exploited in React Native

Critical Metro4Shell Vulnerability Exploited in React Native

Posted on By CWS

Key Points

  • Metro4Shell vulnerability in React Native CLI is being exploited.
  • Allows remote code execution with a CVSS score of 9.8.
  • Exploitation involves delivering a PowerShell script.

Introduction to the Exploit

Hackers have begun exploiting a significant security weakness in the Metro Development Server, part of the widely used ‘@react-native-community/cli’ npm package. This vulnerability, identified as CVE-2025-11953 and nicknamed Metro4Shell, was first observed by cybersecurity firm VulnCheck on December 21, 2025. The flaw carries a critical CVSS score of 9.8, enabling attackers to execute arbitrary commands on the affected host systems.

The vulnerability was initially documented by JFrog in November 2025. Despite the severity and the potential for widespread exploitation, public recognition of the threat has been minimal since its discovery.

Details of the Attack Methodology

In the attacks monitored by VulnCheck’s honeypot network, cybercriminals have been using the Metro4Shell flaw to deliver a Base64-encoded PowerShell script. This script is designed to perform several malicious activities. Among them is the exclusion of specific directories from Microsoft Defender Antivirus scans, particularly the current working directory and the temporary folder.

The script further establishes a direct TCP connection to an external server controlled by the attacker. This connection facilitates the downloading of a binary file, which is then executed on the compromised system. The binary, written in Rust, includes mechanisms to thwart static analysis, complicating detection efforts.

  • Connection made to: 8.218.43[.]248:60124
  • Originating attack IPs: 5.109.182[.]231, 223.6.249[.]141, 134.209.69[.]155

Analysis and Implications

VulnCheck has characterized these activities as consistent and operational, rather than experimental or exploratory. The persistent use of similar payloads over several weeks suggests a deliberate campaign rather than preliminary testing or vulnerability scanning.

The case of CVE-2025-11953 is particularly noteworthy not only due to its existence but because it highlights a recurrent issue in cybersecurity. It underscores the transformation of development environments into production targets as soon as they become accessible on public networks.

Conclusion

The exploitation of the Metro4Shell vulnerability in the React Native CLI package is a critical reminder of the vulnerabilities inherent in open-source software and the need for robust security measures. Organizations using this software should urgently review their security protocols to mitigate potential risks associated with this flaw.

The Hacker News Tags:, , , , , , , , , ,

Related Posts

STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware STAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware The Hacker News
Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data Researchers Find Malicious VS Code, Go, npm, and Rust Packages Stealing Developer Data The Hacker News
CISA Alerts on Zimbra, SharePoint Vulnerabilities CISA Alerts on Zimbra, SharePoint Vulnerabilities The Hacker News
How To Automate Alert Triage With AI Agents and Confluence SOPs Using Tines How To Automate Alert Triage With AI Agents and Confluence SOPs Using Tines The Hacker News
Russian Hacker Jailed for Botnet Ransomware Crimes Russian Hacker Jailed for Botnet Ransomware Crimes The Hacker News
AMD Warns of New Transient Scheduler Attacks Impacting a Wide Range of CPUs AMD Warns of New Transient Scheduler Attacks Impacting a Wide Range of CPUs The Hacker News