CVE-2025-11953: Metro4Shell RCE in React Native

CVE ID: CVE-2025-11953

Severity: CRITICAL | CVSS: 9.8

Sources: 2 different security sources

Let Me Explain What Happened

Let me tell you about something serious that's been happening in the React Native development community. If you're a developer working with React Native, or if your organization uses it to build mobile applications, you need to pay attention to this one. A critical vulnerability nicknamed "Metro4Shell" has been discovered in the React Native Community CLI, and I'm afraid the bad news is that attackers have already been exploiting it in the wild since December 21, 2025. This isn't a theoretical risk—this is actively being used to compromise developer systems right now.

A Bit More Detail

Here's what's going on: The Metro Development Server, which is the tool that React Native developers use every day to build and test their applications, has a serious flaw in how it handles network connections. By default, this server binds to external network interfaces—think of it like leaving your front door not just unlocked, but wide open to the street. Even worse, there's an endpoint in this server that's vulnerable to OS command injection, which means an attacker can send a specially crafted request and make your computer run whatever commands they want. No authentication required, no user interaction needed—just a simple POST request from anywhere on the network.

The vulnerability affects the popular "@react-native-community/cli" npm package, which has millions of downloads and is used by countless development teams worldwide. What makes this particularly dangerous is that developers often run these development servers on their workstations, which typically have access to source code repositories, credentials, and other sensitive development resources. When attackers compromise a developer's machine, they're not just getting one system—they're potentially getting the keys to your entire codebase.

The Technical Specifics

• Attack Vector: NETWORK (AV:N) - Attackers can exploit this remotely over the network
• Attack Complexity: LOW (AC:L) - No special conditions needed to exploit
• Privileges Required: NONE (PR:N) - No authentication needed
• User Interaction: NONE (UI:N) - Victim doesn't need to do anything
• Impact: HIGH across Confidentiality, Integrity, and Availability
• Affected Products: @react-native-community/cli npm package (Metro Development Server)
• CWE: CWE-78 (OS Command Injection)
• CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Understanding the Attack Timeline

According to VulnCheck's research reported by The Hacker News, exploitation of this vulnerability was first observed on December 21, 2025. That's important because it means attackers had a window of opportunity before the vulnerability became widely known. Both The Hacker News and BleepingComputer reported on February 3, 2026, that hackers are actively targeting developers by exploiting this flaw to deliver malicious payloads for both Windows and Linux systems.

On Windows systems, the situation is even more severe—attackers can execute arbitrary shell commands with fully controlled arguments, giving them essentially complete control over the compromised system. On both Windows and Linux, they can run arbitrary executables, which means they could install backdoors, steal credentials, exfiltrate source code, or use your development machine as a launching point for further attacks into your organization's network.

Why This Matters So Much

Let me put this in perspective for you. Development environments are often treated as trusted zones within organizations. Developers need access to production systems, source code repositories, API keys, database credentials, and cloud infrastructure. When an attacker compromises a developer's workstation through a vulnerability like Metro4Shell, they're not just getting access to one person's files—they're potentially getting access to your organization's crown jewels.

The fact that this vulnerability has a CVSS score of 9.8 out of 10 tells you just how serious this is. That score reflects the combination of factors that make this particularly dangerous: it's remotely exploitable, requires no authentication, needs no user interaction, and has high impact on confidentiality, integrity, and availability. In practical terms, this is about as bad as it gets for a vulnerability.

What You Should Do About This

• Right Now - Immediate Actions:
  • Identify all systems in your organization running React Native development environments. Don't forget about CI/CD servers, build machines, and developer workstations.
  • If you're actively running a Metro Development Server, stop it immediately until you can verify you're running a patched version.
  • Check your firewall rules and network segmentation. The Metro Development Server should never be accessible from untrusted networks. If your developers are working remotely, ensure they're using VPNs and that the development server is only bound to localhost.
  • Review your logs for any suspicious POST requests to Metro Development Server endpoints, particularly any that might indicate command injection attempts.
  • Conduct an immediate security assessment of any systems that were running vulnerable versions of the CLI. Look for signs of compromise, unauthorized executables, or unusual network connections.
• For the Long Term - Remediation and Prevention:
  • Update the @react-native-community/cli package immediately. The vulnerability has been patched in commit 15089907d1f1301b22c72d7f68846a2ef20df547. Review the official GitHub repository for the specific version numbers that contain this fix.
  • Configure your Metro Development Server to bind only to localhost (127.0.0.1) rather than external interfaces. This should be your default configuration for all development environments.
  • Implement network segmentation so that development environments are isolated from production systems and sensitive data stores. Use the principle of least privilege—developers should only have access to what they absolutely need.
  • Consider implementing additional monitoring for your development environments. Yes, they're "just" dev systems, but as we've seen, they're valuable targets for attackers.
  • Educate your development team about this vulnerability and the importance of keeping their development tools updated. Make it easy for them to stay current with security patches.
  • Review your software supply chain security practices. This vulnerability affects a widely-used npm package, which highlights the importance of monitoring and managing your dependencies.

Detection and Hunting Guidance

If you're a security analyst or incident responder, here's what you should be looking for. Monitor for unusual POST requests to Metro Development Server endpoints, typically running on port 8081 by default. Look for command injection patterns in HTTP request bodies, particularly those targeting the vulnerable endpoint. On Windows systems, watch for unexpected cmd.exe or powershell.exe process spawns from Node.js processes. On Linux, look for unusual bash or sh process creation from the Metro server process.

Check your network logs for connections to port 8081 from unexpected source IPs, especially from external networks. If you're using endpoint detection and response (EDR) tools, create alerts for process execution chains that start with the Metro Development Server and spawn system shells or download additional payloads. Review your web proxy logs for any outbound connections initiated by Node.js processes that might indicate data exfiltration or command-and-control communication.

Going Deeper: MITRE ATT&CK Context

For those of you who map threats to the MITRE ATT&CK framework, this vulnerability and its exploitation align with several techniques. The initial exploitation represents T1190 - Exploit Public-Facing Application, though in this case, it's a development server rather than a production application. The command injection capability enables T1059 - Command and Scripting Interpreter, with sub-techniques for both Windows Command Shell (T1059.003) and Unix Shell (T1059.004) depending on the target platform.

Once attackers gain initial access through Metro4Shell, they can pivot to numerous other techniques depending on their objectives. They might use T1005 - Data from Local System to steal source code or credentials, T1021 - Remote Services to move laterally to other development systems, or T1567 - Exfiltration Over Web Service to steal intellectual property. The development environment context makes T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools particularly relevant, as attackers could inject malicious code into the software being developed.

A Word of Encouragement

I know this sounds scary, and it is serious, but remember that awareness is the first step toward protection. The fact that you're reading this and learning about Metro4Shell means you're already ahead of many organizations. The security community has identified this vulnerability, patches are available, and you now have the knowledge you need to protect your systems.

Take this as an opportunity to review not just this specific vulnerability, but your overall approach to development environment security. Too often, we focus all our security efforts on production systems while treating development environments as low-priority. Vulnerabilities like Metro4Shell remind us that attackers understand the value of development systems and actively target them.

Update your systems, review your configurations, and make sure your development environments are properly secured and monitored. You've got this, and your organization will be more secure because you took the time to understand and address this threat.

Where I Found This Information

• National Vulnerability Database - CVE-2025-11953 (Authoritative source for CVSS scores and technical details)
• React Native Community CLI - Patch Commit (Official fix from the development team)
• JFrog Security Research - CVE-2025-11953 Analysis (Detailed vulnerability analysis)
• Szymon Rybczak on X (Community discussion)
• Thymikee on X (Additional community insights)
• The Hacker News - Metro4Shell Exploitation Report (Credibility: 7 - First reporting of active exploitation)
• BleepingComputer - React Native Metro Bug Exploitation (Credibility: 7 - Confirmation of developer system breaches)

Note: This is automated security intelligence based on multiple sources. Always test updates carefully in a development environment before applying them to production systems. Verify patch compatibility with your specific React Native version and project dependencies.