Critical Metro4Shell Vulnerability Exploited in React Native

Critical Metro4Shell Vulnerability Exploited in React Native

Posted on By CWS

Key Points

  • Metro4Shell vulnerability in React Native CLI is being exploited.
  • Allows remote code execution with a CVSS score of 9.8.
  • Exploitation involves delivering a PowerShell script.

Introduction to the Exploit

Hackers have begun exploiting a significant security weakness in the Metro Development Server, part of the widely used ‘@react-native-community/cli’ npm package. This vulnerability, identified as CVE-2025-11953 and nicknamed Metro4Shell, was first observed by cybersecurity firm VulnCheck on December 21, 2025. The flaw carries a critical CVSS score of 9.8, enabling attackers to execute arbitrary commands on the affected host systems.

The vulnerability was initially documented by JFrog in November 2025. Despite the severity and the potential for widespread exploitation, public recognition of the threat has been minimal since its discovery.

Details of the Attack Methodology

In the attacks monitored by VulnCheck’s honeypot network, cybercriminals have been using the Metro4Shell flaw to deliver a Base64-encoded PowerShell script. This script is designed to perform several malicious activities. Among them is the exclusion of specific directories from Microsoft Defender Antivirus scans, particularly the current working directory and the temporary folder.

The script further establishes a direct TCP connection to an external server controlled by the attacker. This connection facilitates the downloading of a binary file, which is then executed on the compromised system. The binary, written in Rust, includes mechanisms to thwart static analysis, complicating detection efforts.

  • Connection made to: 8.218.43[.]248:60124
  • Originating attack IPs: 5.109.182[.]231, 223.6.249[.]141, 134.209.69[.]155

Analysis and Implications

VulnCheck has characterized these activities as consistent and operational, rather than experimental or exploratory. The persistent use of similar payloads over several weeks suggests a deliberate campaign rather than preliminary testing or vulnerability scanning.

The case of CVE-2025-11953 is particularly noteworthy not only due to its existence but because it highlights a recurrent issue in cybersecurity. It underscores the transformation of development environments into production targets as soon as they become accessible on public networks.

Conclusion

The exploitation of the Metro4Shell vulnerability in the React Native CLI package is a critical reminder of the vulnerabilities inherent in open-source software and the need for robust security measures. Organizations using this software should urgently review their security protocols to mitigate potential risks associated with this flaw.

The Hacker News Tags:, , , , , , , , , ,

Related Posts

Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials Experts Detect Multi-Layer Redirect Tactic Used to Steal Microsoft 365 Login Credentials The Hacker News
Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation Microsoft Silently Patches Windows LNK Flaw After Years of Active Exploitation The Hacker News
Experts Reports Sharp Increase in Automated Botnet Attacks Targeting PHP Servers and IoT Devices Experts Reports Sharp Increase in Automated Botnet Attacks Targeting PHP Servers and IoT Devices The Hacker News
Lazarus Group Deploys Medusa Ransomware in Cyber Attacks Lazarus Group Deploys Medusa Ransomware in Cyber Attacks The Hacker News
Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex The Hacker News
Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa Cyber Criminals Exploit Open-Source Tools to Compromise Financial Institutions Across Africa The Hacker News