Critical Exploit in React Native’s Metro Server Puts Developers at Risk
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-11953 and dubbed Metro4Shell, has been discovered in React Native’s Metro Development Server. This flaw is actively exploited by threat actors to deploy sophisticated malware on both Windows and Linux systems.
Discovery and Initial Detection
VulnCheck’s Canary honeypot network first detected exploitation of this vulnerability on December 21, 2025, with attacks persisting into January 2026. Despite its severity, the vulnerability has not received significant attention in public security discussions.
Technical Details of the Vulnerability
CVE-2025-11953 affects the Metro Development Server included with the @react-native-community/cli npm package, a fundamental tool for React Native application development. The vulnerability arises from the server’s default configuration, which binds to external network interfaces and exposes an `/open-url` endpoint susceptible to operating system command injection.
Security researchers at JFrog identified that this endpoint passes user-controlled input directly to the unsafe `open()` function from the open npm package. This flaw enables unauthenticated remote attackers to execute arbitrary shell commands. On Windows systems, attackers can achieve full command execution control with arbitrary arguments, while on macOS and Linux, they can launch executable files.
The vulnerability has been assigned a CVSS score of 9.8, indicating its critical severity. However, the Exploit Prediction Scoring System (EPSS) assigns it a low probability of exploitation (0.00405), highlighting a disconnect between theoretical risk assessments and observed real-world exploitation.
Sophisticated Multi-Stage Attack Chain
Analysis by VulnCheck reveals that the exploitation attempts are not merely experimental but demonstrate consistent operational deployment over several weeks. The attacks utilize a sophisticated multi-stage PowerShell-based loader delivered through cmd.exe, with the initial PowerShell payload base64-encoded to evade detection.
The decoded PowerShell script follows a deliberate attack sequence designed to establish persistence and evade endpoint security controls. Initially, it adds Microsoft Defender exclusion paths for both the current working directory and the Windows temporary directory, ensuring subsequent malicious activities bypass antivirus scanning.
The script then establishes a raw TCP connection to attacker-controlled infrastructure, sending a `GET /windows` request to retrieve the next-stage payload. The downloaded executable is written to the system’s temporary directory and executed with a lengthy argument string. Analysis revealed the binary as UPX-packed Rust-based malware incorporating anti-analysis techniques, including runtime checks designed to hinder static inspection.
VulnCheck observed the same attack infrastructure hosting corresponding linux payloads, demonstrating the cross-platform nature of this campaign.
Temporal Disconnect Between Exploitation and Public Awareness
A significant aspect of this campaign is the gap between exploitation and public awareness. VulnCheck detected exploitation in December 2025 and added CVE-2025-11953 to its Known Exploited Vulnerabilities (KEV) catalog on the same day as initial detection. However, as of late January 2026, public security discourse continues to frame the vulnerability as theoretical rather than an active intrusion vector.
This intelligence gap underscores a persistent challenge in vulnerability management: attackers do not wait for official advisories or security consensus before weaponizing flaws. Developer tools are particularly attractive targets because they are widespread, inconsistently monitored, and rarely treated as production-grade attack surfaces.
Mitigation Strategies
Organizations using React Native development environments must immediately upgrade to @react-native-community/cli version 20.0.0 or later, which addresses the vulnerability. The vulnerability affects versions from 4.8.0 through 20.0.0-alpha.2.
Development infrastructure should be treated as a production-grade attack surface, regardless of original intent. Metro Development Servers should never be exposed to untrusted networks, and network segmentation should isolate development environments from internet-accessible interfaces.
CVE-2025-11953 reinforces a critical pattern that defenders continue to relearn: exploitation begins the moment vulnerable systems become reachable, not when authoritative catalogs acknowledge the threat. Organizations cannot afford to wait for consensus before implementing defensive measures against actively exploited vulnerabilities targeting developer workflows.
Indicators of Compromise
Organizations should monitor for the following indicators of compromise associated with this campaign:
– Network Infrastructure:
– IP Addresses:
– 65.109.182.231 (Exploitation source)
– 223.6.249.141 (Exploitation source)
– 134.209.69.155 (Exploitation source)
– 8.218.43.248 (Payload host for Windows)
By proactively monitoring for these indicators and implementing the recommended mitigation strategies, organizations can better protect their development environments from this critical vulnerability.
