React Native Metro4Shell Exploited
Threat actors have been actively exploiting a critical React Native vulnerability, tracked as CVE-2025-11953 and dubbed Metro4Shell, since late December 2025. Despite limited public attention, real-world attacks have already been observed. The flaw enables unauthenticated remote code execution on exposed React Native development servers, highlighting a recurring security failure: development infrastructure unintentionally exposed to the public internet.
Context
CVE-2025-11953 affects the React Native Community CLI package (@react-native-community/cli), which supports roughly two million weekly downloads. The vulnerability resides in Metro, the JavaScript bundler and development server commonly used during React Native app development and testing.
Although development server vulnerabilities are often dismissed as low-risk due to assumed local-only exposure, recent warnings from JFrog and VulnCheck show that these assumptions no longer hold in modern cloud and CI/CD environments.
What Happened
VulnCheck observed active exploitation attempts beginning on December 21, with additional activity on January 4 and January 21, indicating sustained operational use. Thousands of internet-accessible React Native development servers are believed to be exposed.
Despite the vulnerability being disclosed in early November 2025, public discourse continued to frame it as a theoretical issue rather than an active intrusion vector—creating a dangerous gap between awareness and exploitation.
Technical Breakdown
Metro4Shell exists in Metro’s default behavior of binding to external network interfaces. When exposed, attackers can send unauthenticated POST requests that result in remote OS command execution.
Observed attacks deployed a multi-stage PowerShell loader that:
- Disabled Microsoft Defender protections
- Established a raw TCP connection to attacker-controlled infrastructure
- Downloaded and executed a secondary payload
The final payload, written in Rust, included basic anti-analysis features and targeted both Windows and Linux systems, demonstrating cross-platform attacker intent.
Impact Analysis
Exploitation enables full system compromise, allowing attackers to:
- Execute arbitrary commands
- Deploy additional malware
- Establish persistent access
- Pivot into internal networks
Because Metro is commonly assumed to be “safe” for development use, many organizations fail to apply production-grade security controls, increasing exposure risk.
Why It Matters
Metro4Shell reinforces a hard lesson defenders repeatedly relearn: any service reachable from the internet is production infrastructure, regardless of original intent. Development tools, CI pipelines, and test servers are increasingly targeted because they are often less monitored and poorly secured.
Expert Commentary
“CVE-2025-11953 is not remarkable because it exists,” VulnCheck notes. “It is remarkable because it reinforces a pattern defenders continue to relearn.”
The deliberate disabling of endpoint security before payload retrieval shows attackers anticipated defensive controls and engineered evasion into the earliest stages of execution.
Key Takeaways
- CVE-2025-11953 (Metro4Shell) is actively exploited in the wild
- React Native development servers exposed to the internet are at risk
- The flaw allows unauthenticated remote code execution
- Attackers deploy multi-stage loaders with Defender evasion
- Both Windows and Linux systems have been targeted
- Development infrastructure must be secured like production
Follow Us On – X.com, Telegram, LinkedIN, Discord Server,
For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter
