Key Points
- Critical React Native vulnerability CVE-2025-11953 actively exploited.
- Vulnerability impacts React Native Community CLI NPM package.
- Exploitation observed in the wild since December.
- VulnCheck emphasizes the gap between recognition and exploitation.
Introduction to the React Native Vulnerability
A severe vulnerability in the React Native framework, identified as CVE-2025-11953, has been exploited by threat actors since December, according to recent findings from VulnCheck. This vulnerability is associated with a high CVSS score of 9.8 and affects the React Native Community CLI NPM package, which records approximately two million weekly downloads.
The vulnerability originates from the React Native Community CLI project, which serves as a set of command-line tools derived from the open-source framework aimed at enhancing maintainability. This flaw, along with other vulnerabilities in development servers, traditionally requires local access for exploitation. However, an additional issue in React Native extends exposure to external attackers, as highlighted by JFrog in November.
Exploitation Details and Observations
Despite limited public discourse, VulnCheck has reported active exploitation of the vulnerability, dubbed Metro4Shell. Initial exploitation attempts were noted on December 21, with further activity recorded on January 4 and 21, indicating a sustained malicious operation. Thousands of internet-accessible React Native instances may be susceptible to this vulnerability.
VulnCheck stresses the significance of the gap between observed exploitation and broader awareness, noting that easily exploitable vulnerabilities, which are exposed on the public internet, pose substantial risks. The Metro4Shell vulnerability resides in Metro, a JavaScript bundler and development server utilized during the development and testing of React Native applications.
Technical Analysis of the Exploit
By default, Metro can bind to external interfaces, making deployments vulnerable to unauthenticated remote OS command execution through straightforward POST requests. VulnCheck documented that attackers utilize a multi-stage PowerShell-based loader, which deactivates Microsoft Defender protections, establishes a raw TCP connection to the attacker’s server, sends a GET request, and executes the received payload.
The payload, written in Rust, incorporates basic anti-analysis logic and targets both Windows and Linux operating systems. VulnCheck’s analysis reveals that this approach to disabling security measures before payload retrieval reflects an awareness of endpoint security controls and the incorporation of evasion tactics into the attack’s initial execution flow.
Conclusion
The React Native vulnerability, CVE-2025-11953, underscores the ongoing challenges in software security, particularly how development infrastructure can inadvertently transition to production environments. This case highlights the critical need for heightened awareness and proactive measures to safeguard against such exploitations. As this vulnerability continues to be exploited in the wild, developers and security professionals must remain vigilant to protect their systems and infrastructure.
