A critical 9.8 CVSS-rated vulnerability in React Native's Metro dev server is being actively exploited to deliver malware, yet public awareness remains dangerously low despite attacks dating back to December 2024.
Security researchers are raising alarms about active exploitation of a critical vulnerability in React Native's Metro development server, warning that attacks have been underway since December 2024 but have yet to receive adequate public attention.
The vulnerability and its severity
The flaw, tracked as CVE-2025-11953, affects the React Native Community command line tool, which boasts nearly 2.5 million weekly downloads on npm. The vulnerability stems from an OS command injection flaw in the Metro development server that starts when using the React Native Community CLI tool.
When exploited, unauthenticated network attackers can send a POST request to the vulnerable endpoint and execute malicious code. On Windows systems, attackers can run arbitrary shell commands with fully controlled arguments, while Linux systems face similar risks.
JFrog researchers discovered and disclosed the vulnerability in early November 2024 after Meta issued a fix. They assigned it a critical 9.8 CVSS severity rating - just shy of the maximum possible score, indicating it's "almost as bad as bugs get."
Active exploitation in the wild
Despite the critical severity rating, what's particularly concerning is that exploitation began well before the vulnerability gained public attention. According to VulnCheck CTO Jacob Baines, "VulnCheck observed exploitation attempts as early as December, well before public discussion framed CVE-2025-11953 as anything more than a theoretical risk."
Baines emphasized the speed at which attackers can act once scanning becomes viable, noting that "developer tooling - widespread, inconsistently monitored, and often not treated as production-grade - represents a particularly attractive early target."
Attack methodology and payloads
The attacks observed by researchers follow a sophisticated multi-stage approach:
- Initial compromise: Attackers send malicious POST requests to the exposed Metro server endpoint
- PowerShell-based loader: A multi-stage PowerShell loader is delivered through cmd.exe
- Defense evasion: The code disables Microsoft Defender protections before payload retrieval
- Final payload: A Rust-based binary with anti-analysis features is downloaded and executed
The deliberate disabling of Microsoft Defender protections indicates attackers anticipated endpoint security controls and built evasion measures into their initial execution flow.
Attack infrastructure
Researchers have identified several IP addresses involved in the attacks:
- 65.109.182.231
- 223.6.249.141
- 134.209.69.155
The payloads are hosted at:
- 8.218.43.248:60124 (Windows payload)
- 47.86.33.195:60130:60130 (both Windows and Linux binaries)
The awareness gap
What makes this situation particularly dangerous is the disconnect between observed exploitation and public recognition. More than a month after initial in-the-wild exploitation, the activity has yet to see broad public acknowledgment.
Baines pointed out that the Exploit Prediction Scoring System (EPSS) continues to assign a low exploitation probability of just 0.00405 to this vulnerability - a stark contrast to the observed reality of active attacks.
"This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet," Baines wrote in his analysis.
The first wave of exploitation began in December, with additional attacks delivering the same payloads observed on January 4 and January 21.
Why this matters
This vulnerability highlights a critical blind spot in cybersecurity: developer tooling. These tools are:
- Widely deployed: Nearly 2.5 million weekly downloads
- Inconsistently monitored: Often not treated as production-grade infrastructure
- Easily accessible: Exposed on the public internet
- High-value targets: Provide direct code execution capabilities
Meta created React Native to allow developers to build mobile applications for iOS and Android using JavaScript and React, making it a cornerstone technology for many organizations. The widespread adoption combined with the critical nature of the vulnerability creates a perfect storm for attackers.
Protection and mitigation
Organizations using React Native should:
- Apply the Meta-provided patch immediately if not already done
- Review network exposure of development servers
- Monitor for suspicious activity from the identified IP addresses
- Implement network segmentation to isolate development environments
- Consider production-grade security for development tooling
The fact that attackers are actively exploiting this vulnerability while public awareness remains low serves as a stark reminder that in cybersecurity, what you don't know can hurt you - and in this case, the attackers seem to know more than many defenders.
Comments
Please log in or register to join the discussion