Critical Vulnerabilities Exploited in 2025, Including React Native CLI Metro Dev Server RCE
Attackers in 2025 rapidly exploited both new and longstanding vulnerabilities, with mass scanning and weaponization occurring within hours of disclosure. The most targeted weaknesses included deserialization flaws, memory corruption in edge devices, and privilege escalation bugs, with some vulnerabilities—such as those in React Server Components and Microsoft WSUS—being compared to Log4Shell in terms of scale and impact. The Top 25 exploited vulnerabilities of the year highlighted systemic failures in patch management and asset visibility, as attackers leveraged both recent and decade-old flaws to gain initial access, deploy webshells, and compromise CI/CD pipelines.
Among the most critical issues was CVE-2025-11953, a remote code execution vulnerability in the React Native Community CLI’s Metro development server. This flaw, caused by unsanitized user input in the @react-native-community/cli-server-api package, allowed unauthenticated attackers to execute arbitrary OS commands via exposed HTTP endpoints. The vulnerability posed significant supply chain risks to mobile app development environments, enabling attackers to compromise developer workstations, steal credentials, and potentially pivot into corporate networks. Multiple national CERTs and security vendors issued urgent alerts and mitigation guidance due to the high exploitability and widespread exposure of this vulnerability.
Timeline
Dec 23, 2025
2025 exploitation trends highlight industrialized vulnerability weaponization
A year-end assessment reported that attackers in 2025 rapidly weaponized both new and longstanding vulnerabilities across enterprise software, edge devices, and critical infrastructure. The report highlighted widespread abuse of flaws in products such as React Server Components, Microsoft WSUS, Adobe Commerce, Citrix NetScaler, and Shellshock, often leading to webshells, credential theft, lateral movement, and ransomware.
Dec 22, 2025
Alerts and emergency protections issued for CVE-2025-11953
Multiple CERTs and web application firewall vendors issued alerts and emergency protections in response to the high-risk React Native Metro server vulnerability. Recommended mitigation included upgrading to version 20.0.0 or later, restricting binding to localhost, and deploying network protections.
Dec 22, 2025
Critical RCE affects React Native CLI Metro server packages
CVE-2025-11953 was identified as a critical unauthenticated remote code execution flaw in the @react-native-community/cli-server-api package affecting versions 4.8.0 through 20.0.0-alpha.2. The issue stems from OS command injection via unsanitized input handled by the open() function in the Metro development server.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Sources
Related Stories
Critical Remote Code Execution Vulnerability in React Native CLI
A critical vulnerability, tracked as CVE-2025-11953, was discovered in the `@react-native-community/cli` npm package, which is widely used for developing React Native mobile applications. The flaw, rated with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary operating system commands on machines running the React Native CLI's development server. The vulnerability stems from the Metro development server binding to external interfaces by default and exposing an `/open-url` endpoint that is susceptible to OS command injection. Attackers can exploit this by sending specially crafted POST requests, leading to remote code execution. On Windows systems, attackers can execute arbitrary shell commands with full argument control, while on Linux and macOS, arbitrary binaries can be executed with limited parameter control. The issue affects versions 4.8.0 through 20.0.0-alpha.2 of the `@react-native-community/cli-server-api` package and has been patched in version 20.0.0. The vulnerability posed a significant risk to millions of developers, as the package receives up to 2 million downloads per week. The flaw has since been addressed, but organizations using affected versions are urged to update immediately to mitigate the risk of exploitation. The vulnerability was reported by JFrog researchers and publicly disclosed in early November 2025.
1 months ago
In-the-wild exploitation of React Native Metro4Shell (CVE-2025-11953) for remote code execution
Threat actors have been observed exploiting **CVE-2025-11953** (aka **Metro4Shell**), a critical RCE flaw (CVSS **9.8**) in the React Native **Metro Development Server** exposed via the `@react-native-community/cli` / `@react-native-community/cli-server-api` npm packages. The issue stems from Metro’s development-only `/open-url` HTTP endpoint accepting attacker-controlled input that can be passed unsanitized to an `open()` call; under default configurations Metro may bind to external interfaces, making developer systems reachable from the internet. JFrog disclosed the vulnerability in November 2025, and multiple proof-of-concept exploits emerged after public disclosure; affected versions were reported as `@react-native-community/cli-server-api` **4.8.0 through 20.0.0-alpha.2**, with a fix in **20.0.0+**. VulnCheck telemetry and honeypot/canary observations indicate operational exploitation beginning **Dec 21, 2025**, with repeat activity on **Jan 4** and **Jan 21, 2026**, delivering consistent payloads rather than one-off probing. Observed attacks used **Base64-encoded PowerShell** delivered in HTTP POST bodies to exposed endpoints; the script added **Microsoft Defender** exclusions (including the current working directory and `C:\Users\<Username>\AppData\Local\Temp`), established a raw TCP connection to `8.218.43[.]248:60124`, downloaded an additional payload to the temp directory, and executed it. The downloaded binary was described as **Rust-based** with anti-analysis checks, and exploitation attempts were reported as originating from `5.109.182[.]231`, `223.6.249[.]141`, and `134.209.69[.]155`, underscoring the risk of internet-exposed development infrastructure being used as an initial access vector.
1 months ago
Critical Vulnerabilities and Exploitation Trends in 2025
Security researchers highlighted several high-impact vulnerabilities that shaped the threat landscape in 2025, including unauthenticated remote code execution flaws in widely used platforms such as React Server Components (CVE-2025-55182), SAP NetWeaver (CVE-2025-31324), PAN-OS (CVE-2025-0108), Cisco IOS XE (CVE-2025-20188), and Erlang/OTP SSH (CVE-2025-32433). These vulnerabilities were notable for their rapid exploitation following public disclosure, with attackers leveraging unauthenticated access and broad software reach to maximize impact. The year saw a shift in attacker focus, with perimeter devices and enterprise software becoming primary entry points, and defenders were forced to respond quickly as the window between disclosure and exploitation narrowed. In December 2025, Microsoft released one of its lightest Patch Tuesday updates, addressing 56 new CVEs. Despite the lower volume, security experts emphasized the importance of prioritizing vulnerabilities that were already exploited, publicly disclosed, or rated as critical with a high likelihood of exploitation. The analysis provided actionable intelligence for defenders, including technology-specific threat insights and resources for mitigating risk. The convergence of these trends underscored the need for rapid vulnerability management and highlighted recurring blind spots in enterprise defense strategies.
1 months ago