In-the-wild exploitation of React Native Metro4Shell (CVE-2025-11953) for remote code execution
Threat actors have been observed exploiting CVE-2025-11953 (aka Metro4Shell), a critical RCE flaw (CVSS 9.8) in the React Native Metro Development Server exposed via the @react-native-community/cli / @react-native-community/cli-server-api npm packages. The issue stems from Metro’s development-only /open-url HTTP endpoint accepting attacker-controlled input that can be passed unsanitized to an open() call; under default configurations Metro may bind to external interfaces, making developer systems reachable from the internet. JFrog disclosed the vulnerability in November 2025, and multiple proof-of-concept exploits emerged after public disclosure; affected versions were reported as @react-native-community/cli-server-api 4.8.0 through 20.0.0-alpha.2, with a fix in 20.0.0+.
VulnCheck telemetry and honeypot/canary observations indicate operational exploitation beginning Dec 21, 2025, with repeat activity on Jan 4 and Jan 21, 2026, delivering consistent payloads rather than one-off probing. Observed attacks used Base64-encoded PowerShell delivered in HTTP POST bodies to exposed endpoints; the script added Microsoft Defender exclusions (including the current working directory and C:\Users\<Username>\AppData\Local\Temp), established a raw TCP connection to 8.218.43[.]248:60124, downloaded an additional payload to the temp directory, and executed it. The downloaded binary was described as Rust-based with anti-analysis checks, and exploitation attempts were reported as originating from 5.109.182[.]231, 223.6.249[.]141, and 134.209.69[.]155, underscoring the risk of internet-exposed development infrastructure being used as an initial access vector.
Timeline
Feb 6, 2026
CISA warns about exploited React Native command injection flaw
CISA issued a warning about the React Native Community command injection vulnerability being exploited in attacks, further elevating the issue's visibility for defenders. This marked a U.S. government alert following earlier private-sector reporting of active exploitation.
Feb 3, 2026
Public reporting highlights active exploitation and available mitigations
Multiple security news outlets amplified VulnCheck's findings, describing Metro4Shell as a critical unauthenticated command injection flaw in React Native's Metro server and recommending upgrades to fixed @react-native-community/cli versions and restricting network exposure. Coverage also noted that proof-of-concept exploit code had appeared publicly, increasing exploitation risk.
Jan 28, 2026
VulnCheck publicly reports in-the-wild Metro4Shell exploitation
VulnCheck published research disclosing that CVE-2025-11953, dubbed Metro4Shell, had been exploited in the wild since December 2025. The report detailed the observed payload chain, emphasized the risk from internet-exposed developer tooling, and noted the disconnect between confirmed exploitation and low public recognition.
Jan 21, 2026
Another exploitation wave delivers multi-stage Rust malware payload
A further round of attacks was observed in late January, again using cmd.exe to launch a base64-encoded PowerShell loader that added Microsoft Defender exclusions, contacted attacker infrastructure, and downloaded a UPX-packed Rust payload. Related infrastructure also hosted a Linux payload, suggesting multi-OS targeting.
Jan 4, 2026
Attackers continue Metro4Shell campaign with repeat exploitation
VulnCheck observed additional exploitation activity on a later wave in early January, indicating the activity was sustained and operational rather than one-off scanning or testing. The intrusion chain remained consistent across observed attacks.
Dec 21, 2025
Metro4Shell exploitation first observed against exposed Metro servers
VulnCheck's Canary network first observed real-world exploitation of CVE-2025-11953 against internet-exposed React Native Metro Development Server instances. The attacks used the vulnerable /open-url endpoint to achieve unauthenticated command execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
5 more from sources like security online info, register security, cyber security news, security affairs and bleeping computer
Related Stories
Critical Remote Code Execution Vulnerability in React Native CLI
A critical vulnerability, tracked as CVE-2025-11953, was discovered in the `@react-native-community/cli` npm package, which is widely used for developing React Native mobile applications. The flaw, rated with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary operating system commands on machines running the React Native CLI's development server. The vulnerability stems from the Metro development server binding to external interfaces by default and exposing an `/open-url` endpoint that is susceptible to OS command injection. Attackers can exploit this by sending specially crafted POST requests, leading to remote code execution. On Windows systems, attackers can execute arbitrary shell commands with full argument control, while on Linux and macOS, arbitrary binaries can be executed with limited parameter control. The issue affects versions 4.8.0 through 20.0.0-alpha.2 of the `@react-native-community/cli-server-api` package and has been patched in version 20.0.0. The vulnerability posed a significant risk to millions of developers, as the package receives up to 2 million downloads per week. The flaw has since been addressed, but organizations using affected versions are urged to update immediately to mitigate the risk of exploitation. The vulnerability was reported by JFrog researchers and publicly disclosed in early November 2025.
1 months ago
Critical Vulnerabilities Exploited in 2025, Including React Native CLI Metro Dev Server RCE
Attackers in 2025 rapidly exploited both new and longstanding vulnerabilities, with mass scanning and weaponization occurring within hours of disclosure. The most targeted weaknesses included deserialization flaws, memory corruption in edge devices, and privilege escalation bugs, with some vulnerabilities—such as those in React Server Components and Microsoft WSUS—being compared to Log4Shell in terms of scale and impact. The Top 25 exploited vulnerabilities of the year highlighted systemic failures in patch management and asset visibility, as attackers leveraged both recent and decade-old flaws to gain initial access, deploy webshells, and compromise CI/CD pipelines. Among the most critical issues was CVE-2025-11953, a remote code execution vulnerability in the React Native Community CLI’s Metro development server. This flaw, caused by unsanitized user input in the `@react-native-community/cli-server-api` package, allowed unauthenticated attackers to execute arbitrary OS commands via exposed HTTP endpoints. The vulnerability posed significant supply chain risks to mobile app development environments, enabling attackers to compromise developer workstations, steal credentials, and potentially pivot into corporate networks. Multiple national CERTs and security vendors issued urgent alerts and mitigation guidance due to the high exploitability and widespread exposure of this vulnerability.
1 months ago
Active Exploitation of React2Shell (CVE-2025-55182) in React Server Components
Threat actors are actively exploiting **React2Shell** (**CVE-2025-55182**), a critical remote code execution flaw in the Flight protocol used for client-server communication in **React Server Components**. The issue is attributed to **insecure deserialization** that can allow unauthorized code execution on vulnerable servers, with observed targeting across insurance, e-commerce, and IT organizations. Reported payloads include the **XMRig** cryptocurrency miner as well as multiple botnets and remote access tooling; campaigns observed against Russian entities deployed **RustoBot** and **Kaiji**, while other activity distributed malware such as **CrossC2**, **Tactical RMM**, **VShell**, and **EtherRAT**. Affected packages include `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack` in versions **19.0**, **19.1.0**, **19.1.1**, and **19.2.0**, with fixes available in **19.0.1**, **19.1.2**, and **19.2.1**. Separate reporting highlighted that attackers leveraged a **public proof-of-concept (PoC)** for React2Shell and began targeting organizations within hours, reinforcing that rapid weaponization is now common; defenders are advised to patch and also perform post-patch validation, including checking for indicators of compromise, verifying *Next.js* and dependency versions, rebuilding projects after updates, and confirming lockfiles no longer reference vulnerable package versions.
3 weeks ago