Critical vulnerability in React Native's Metro bundler enables remote code execution on developer systems, with active exploitation delivering cross-platform malware.
)
Critical Vulnerability Enables Remote Code Execution
A critical vulnerability in React Native's Metro server, tracked as CVE-2025-11953, is being actively exploited by hackers to breach developer systems and deliver malicious payloads across Windows and Linux platforms. The flaw, discovered by researchers at JFrog, affects the default JavaScript bundler for React Native projects and could allow unauthenticated attackers to execute arbitrary commands on vulnerable systems.
How the Attack Works
The vulnerability stems from the /open-url HTTP endpoint in Metro, which accepts POST requests containing user-supplied URL values that are passed unsanitized to the open() function. This creates a dangerous attack vector that can be exploited in different ways depending on the operating system:
On Windows: Attackers can execute arbitrary OS commands via POST requests without authentication
On Linux and macOS: The vulnerability allows running arbitrary executables with limited parameter control
Active Exploitation Campaign
Vulnerability intelligence company VulnCheck has observed a threat actor actively exploiting this vulnerability, dubbed Metro4Shell, since December 21, 2025. The attacks have continued through January 4th and 21st, demonstrating that this provides a practical, cross-platform initial access mechanism.
Attack Chain Details
In all observed attacks, researchers noted the delivery of base-64 encoded PowerShell payloads hidden in the HTTP POST body of malicious requests. Once decoded and executed, these payloads perform a sophisticated sequence of actions:
Disable endpoint protections by adding Microsoft Defender exclusion paths for both the current working directory and system temporary directory using
Add-MpPreferenceEstablish a raw TCP connection to attacker-controlled infrastructure and issue a
GET /windowsrequest to retrieve the next-stage payloadWrite the received data to disk as an executable file in the system's temporary directory
Execute the downloaded binary with a large, attacker-supplied argument string
Technical Analysis of the Malware
The Windows payload retrieved in these attacks is particularly sophisticated. It's a Rust-based UPX-packed binary with basic anti-analysis logic designed to evade detection. The same attacker infrastructure hosted a corresponding "linux" binary, indicating that the campaign is designed to target both major platforms used by developers.
Scope and Risk Assessment
Approximately 3,500 exposed React Native Metro servers are accessible online, according to scans using the ZoomEye search engine for connected devices, services, and web applications. Despite active exploitation being observed for over a month, the vulnerability still carries a low score in the Exploit Prediction Scoring System (EPSS), a risk assessment framework that estimates the likelihood of exploitation for security issues.
Mitigation and Protection
Organizations are urged to take immediate action to protect their development environments. The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2, and was fixed in version 20.0.0 and later.
Recommended Actions
- Update immediately to React Native Metro version 20.0.0 or later
- Restrict network access to Metro servers, ensuring they only bind to local interfaces during development
- Monitor network traffic for suspicious POST requests to
/open-urlendpoints - Implement network segmentation to isolate development environments from production systems
"Organizations cannot afford to wait for CISA KEV inclusion, vendor reports, or broad consensus before taking action," the researchers warn.
Indicators of Compromise
VulnCheck's report includes indicators of compromise (IoCs) for the attacker network infrastructure as well as Windows and Linux payloads. Development teams should review these IoCs and implement appropriate detection rules in their security monitoring systems.
Broader Context
This attack highlights the growing trend of targeting software development infrastructure as an entry point for broader compromises. Similar patterns have been observed in recent attacks against:
- Cisco AsyncOS zero-day exploits
- VMware RCE flaws
- Fortinet FortiSIEM vulnerabilities
- Trend Micro remote code execution bugs
These attacks demonstrate that threat actors are increasingly focusing on the software supply chain and development environments, recognizing them as critical weak points in organizational security.
Conclusion
The active exploitation of CVE-2025-11953 represents a significant threat to React Native developers and organizations using this popular framework. With sophisticated cross-platform malware being delivered through this vulnerability and thousands of potentially exposed servers online, immediate action is required to secure development environments and prevent compromise.
Development teams should prioritize updating their Metro server installations and implementing network controls to prevent unauthorized access to development endpoints. The combination of remote code execution capabilities and the widespread use of React Native makes this vulnerability particularly dangerous in the current threat landscape.
Comments
Please log in or register to join the discussion