Critical vulnerability in React Native development tool actively exploited

Critical vulnerability in React Native development tool actively exploited

February 4, 2026 discoverhiddenusacom Technology

React Native Metro Vulnerability: A Wake-Up Call for Developer Security

A critical remote code execution vulnerability, CVE-2025-11953, in React Native’s Metro server is being actively exploited by attackers to breach developer systems. This flaw, dubbed “Metro4Shell,” allows malicious actors to execute code on both Windows and Linux systems, highlighting a significant risk to the software development lifecycle.

How the “Metro4Shell” Exploit Works

React Native’s Metro server is a JavaScript bundler used during application development and testing. While often intended for local use, it can, by default, bind to external network interfaces, exposing HTTP endpoints. The vulnerability lies within the /open-url endpoint, which accepts POST requests containing a URL that is then passed to an internal function without proper validation.

On Windows systems, this allows attackers to execute arbitrary system commands without authentication. On Linux and macOS, attackers can launch executable files, though with limited control over parameters. Exploits began appearing shortly after the vulnerability was announced, and threat actors were observed actively exploiting it as early as December 21, 2025, with continued activity into January 2026.

Attackers are leveraging base64-encoded PowerShell payloads delivered via HTTP POST requests. These payloads disable security features like Microsoft Defender before establishing a TCP connection to the attacker’s infrastructure to retrieve additional malware. A Rust-based Windows variant, compressed with UPX, is used to hinder analysis, and a Linux binary has also been identified, confirming cross-platform targeting.

The Scale of the Problem: Thousands of Exposed Servers

Recent scans reveal that thousands of Metro servers are accessible via the internet. These exposed servers often represent development environments that were never intended to be publicly accessible. This presents a particularly attractive target for attackers, as development systems frequently have less stringent security measures but still possess access to sensitive source code, API keys, and internal networks.

Despite the active exploitation, the vulnerability currently receives a low score in the Exploit Prediction Scoring System. However, security researchers emphasize that organizations should not rely solely on these scores and should proactively address the vulnerability rather than waiting for official advisories.

What Developers and Organizations Need to Do

The vulnerability affects versions of @react-native-community/cli-server-api from 4.8.0 through 20.0.0-alpha.2. Updating to version 20.0.0 or newer resolves the issue. Organizations should immediately assess their environments to identify and update vulnerable instances of the React Native Community CLI.

JFrog Security has published indicators of compromise to help organizations determine if their systems have been compromised. Given the simplicity of the attack and the large number of exposed servers, this vulnerability remains a significant threat to developers and their organizations.

Pro Tip: Regularly scan your network for exposed development servers and ensure they are appropriately secured, even if they are believed to be isolated.

Future Trends: Securing the Software Supply Chain

The “Metro4Shell” vulnerability underscores a growing trend: increased targeting of the software supply chain. Developers and the tools they use are becoming prime targets for attackers seeking to compromise multiple organizations simultaneously. This incident highlights the need for a shift-left security approach, integrating security practices earlier in the development lifecycle.

People can anticipate several key developments in the coming years:

  • Increased Automation of Vulnerability Detection: Tools like vulnerability scanners and static analysis software will become more sophisticated and integrated into CI/CD pipelines.
  • Enhanced Supply Chain Security Standards: Expect stricter security requirements for open-source dependencies and third-party tools.
  • Greater Focus on Developer Security Training: Organizations will invest more in training developers on secure coding practices and common vulnerabilities.
  • Zero Trust Architectures for Development Environments: Implementing zero trust principles, such as least privilege access and continuous verification, will become increasingly common.

FAQ

Q: What is CVE-2025-11953?
A: It’s a critical remote code execution vulnerability in React Native’s Metro server that allows attackers to run malicious code on developer systems.

Q: How can I check if my system is vulnerable?
A: Check if you are using a version of @react-native-community/cli-server-api between 4.8.0 and 20.0.0-alpha.2. Update to version 20.0.0 or newer to resolve the issue.

Q: What platforms are affected?
A: Windows and Linux systems are confirmed to be targeted, with potential impact on macOS as well.

Q: Is this vulnerability difficult to exploit?
A: No, the exploit is relatively simple, making it attractive to a wide range of attackers.

Did you know? Thousands of React Native Metro servers are currently accessible on the internet, making them potential targets for exploitation.

Stay informed about the latest security threats and best practices. Explore our other articles on software supply chain security and developer security to learn more. Consider subscribing to our newsletter for regular updates and insights.

, ,