Hackers are focusing on builders by exploiting the essential vulnerability CVE-2025-11953 within the Metro server for React Native to ship malicious payloads for Home windows and Linux.
On Home windows, an unauthenticated attacker can leverage the safety situation to execute arbitrary OS instructions by way of a POST request. On Linux and macOS, the vulnerability can result in working arbitrary executables with restricted parameter management.
Metro is the default JavaScript bundler for React Native initiatives, and it’s important for constructing and working functions within the growth stage.
By default, Metro can bind to exterior community interfaces and expose development-only HTTP endpoints (/open-url) for native use throughout growth.
Researchers at software program supply-chain safety firm JFrog found the flaw and disclosed it in early November. After the general public disclosure, a number of proof-of-concept exploits emerged.
In a publish on the time, they stated that the difficulty was the /open-url HTTP endpoint accepting POST requests containing a user-supplied URL worth that may very well be handed unsanitized to the ‘open()’ perform.
The flaw impacts @react-native-community/cli-server-api variations 4.8.0 by way of 20.0.0-alpha.2, and was fastened in model 20.0.0 and later.
On December 21, 2025, vulnerability intelligence firm VulnCheck noticed a menace actor exploiting CVE-2025-11953, dubbed Metro4Shell. The exercise continued to ship the identical payloads on January 4th and twenty first.
“Exploitation has delivered superior payloads on each Linux and Home windows, demonstrating that Metro4Shell offers a sensible, cross-platform preliminary entry mechanism” – VulnCheck
In all three assaults, the researchers noticed the supply of the identical base-64 encoded PowerShell payloads hidden within the HTTP POST physique of the malicious requests reaching uncovered endpoints.
As soon as decoded and launched, the payloads carry out the next actions:
- Disable endpoint protections by including Microsoft Defender exclusion paths for each the present working listing and the system short-term listing utilizing Add-MpPreference.
- Set up a uncooked TCP connection to attacker-controlled infrastructure and situation a GET /home windows request to retrieve the next-stage payload.
- Write the obtained knowledge to disk as an executable file within the system’s short-term listing.
- Execute the downloaded binary with a big, attacker-supplied argument string.
The Home windows payload retrieved in these assaults is a Rust-based UPX-packed binary with fundamental anti-analysis logic. The identical infrastructure hosted a corresponding “linux” binary, indicating that the assaults cowl each platforms.
There are roughly 3,500 uncovered React Native Metro servers uncovered on-line, in accordance with scans utilizing the ZoomEye search engine for related units, companies, and internet functions.
Regardless of lively exploitation being noticed for over a month, the vulnerability nonetheless carries a low rating within the Exploit Prediction Scoring System (EPSS), a threat evaluation framework that estimates the probability of exploitation for a safety situation.
“Organizations can’t afford to attend for CISA KEV inclusion, vendor stories, or broad consensus earlier than taking motion,” the researchers say.
VulnCheck’s report consists of indicators of compromise (IoCs) for the attacker community infrastructure in addition to Home windows and Linux payloads.
Fashionable IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, learn the way your group can cut back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on high of instruments you already use.
