Critical ‘Metro4Shell’ Vulnerability in React Native CLI Exploited in Active Attacks
A critical security vulnerability, designated as CVE-2025-11953 and colloquially known as Metro4Shell, has been actively exploited by threat actors targeting the Metro Development Server within the widely-used @react-native-community/cli npm package. This flaw, carrying a CVSS score of 9.8, enables remote, unauthenticated attackers to execute arbitrary operating system commands on the host machine, posing a significant risk to developers and organizations utilizing React Native for application development.
Discovery and Initial Exploitation
The vulnerability was first identified by cybersecurity firm JFrog in November 2025, with public disclosure following shortly thereafter. Despite the availability of this information, active exploitation was observed by VulnCheck’s Canary honeypot network starting on December 21, 2025. Subsequent attacks were recorded on January 4 and January 21, 2026, indicating a sustained and operational use of the exploit rather than mere exploratory activity. ([vulncheck.com](https://www.vulncheck.com/blog/metro4shell_eitw?utm_source=openai))
Technical Details of the Vulnerability
The Metro Development Server, integral to React Native’s development and testing processes, is designed to bind to external network interfaces by default. It exposes an `/open-url` HTTP endpoint intended for local development use. On Windows systems, this endpoint is susceptible to OS command injection via specially crafted POST requests. By sending a malicious request to this endpoint, an attacker can execute arbitrary commands on the host system without authentication. ([vulncheck.com](https://www.vulncheck.com/blog/metro4shell_eitw?utm_source=openai))
Observed Attack Patterns
In the attacks monitored by VulnCheck, adversaries exploited the Metro4Shell vulnerability to deliver Base64-encoded PowerShell scripts. Once decoded and executed, these scripts performed the following actions:
1. Disabling Security Measures: The script added exclusions to Microsoft Defender Antivirus for both the current working directory and the system’s temporary folder, effectively disabling these directories from being scanned for malware.
2. Establishing Remote Connections: It initiated a raw TCP connection to an attacker-controlled server at IP address 8.218.43[.]248 on port 60124.
3. Payload Retrieval and Execution: The script sent a request to the remote server to download additional data, which was then written to a file in the system’s temporary directory and executed.
The downloaded payloads were Rust-based binaries equipped with anti-analysis features to evade detection and hinder static inspection. The consistency of these payloads across multiple attacks suggests a deliberate and ongoing campaign rather than random probing or proof-of-concept testing. ([vulncheck.com](https://www.vulncheck.com/blog/metro4shell_eitw?utm_source=openai))
Geographical Distribution of Attacks
The attacks have been traced back to several IP addresses, including:
– 5.109.182[.]231
– 223.6.249[.]141
– 134.209.69[.]155
These addresses are associated with various regions, indicating a geographically diverse set of threat actors exploiting this vulnerability. ([vulncheck.com](https://www.vulncheck.com/blog/metro4shell_eitw?utm_source=openai))
Implications for Developers and Organizations
The Metro4Shell vulnerability underscores the critical importance of securing development environments. Given that Metro binds to all network interfaces by default, any exposed development server becomes a potential entry point for attackers. The ability to execute arbitrary commands without authentication can lead to full system compromise, data exfiltration, and the deployment of additional malware.
Recommended Mitigation Strategies
To protect against exploitation of CVE-2025-11953, developers and organizations should implement the following measures:
1. Update the React Native CLI: Ensure that the @react-native-community/cli npm package is updated to the latest version where the vulnerability has been patched.
2. Restrict Network Exposure: Configure the Metro Development Server to bind only to localhost or trusted network interfaces, preventing unauthorized external access.
3. Monitor for Suspicious Activity: Regularly review logs for unusual POST requests to the `/open-url` endpoint, especially those containing unexpected or malformed parameters.
4. Implement Network Segmentation: Isolate development environments from production networks to limit the potential impact of a compromised development server.
5. Enhance Endpoint Security: Deploy comprehensive endpoint detection and response (EDR) solutions to identify and mitigate malicious activities promptly.
Conclusion
The active exploitation of the Metro4Shell vulnerability highlights the evolving threat landscape targeting development tools and environments. Developers and organizations must remain vigilant, promptly apply security patches, and adopt robust security practices to safeguard their systems against such critical vulnerabilities.
