Hackers are concentrating on builders by exploiting the crucial vulnerability CVE-2025-11953 within the Metro server for React Native to ship malicious payloads for Home windows and Linux.
On Home windows, an unauthenticated attacker can leverage the safety difficulty to execute arbitrary OS instructions by way of a POST request. On Linux and macOS, the vulnerability can result in working arbitrary executables with restricted parameter management.
Metro is the default JavaScript bundler for React Native initiatives, and it’s important for constructing and working functions within the growth stage.
By default, Metro can bind to exterior community interfaces and expose development-only HTTP endpoints (/open-url) for native use throughout growth.
Researchers at software program supply-chain safety firm JFrog found the flaw and disclosed it in early November. After the general public disclosure, a number of proof-of-concept exploits emerged.
In a submit on the time, they stated that the difficulty was the /open-url HTTP endpoint accepting POST requests containing a user-supplied URL worth that might be handed unsanitized to the ‘open()’ operate.
The flaw impacts @react-native-community/cli-server-api variations 4.8.0 by 20.0.0-alpha.2, and was fastened in model 20.0.0 and later.
On December 21, 2025, vulnerability intelligence firm VulnCheck noticed a menace actor exploiting CVE-2025-11953, dubbed Metro4Shell. The exercise continued to ship the identical payloads on January 4th and twenty first.
“Exploitation has delivered superior payloads on each Linux and Home windows, demonstrating that Metro4Shell supplies a sensible, cross-platform preliminary entry mechanism” – VulnCheck
In all three assaults, the researchers noticed the supply of the identical base-64 encoded PowerShell payloads hidden within the HTTP POST physique of the malicious requests reaching uncovered endpoints.
As soon as decoded and launched, the payloads carry out the next actions:
- Disable endpoint protections by including Microsoft Defender exclusion paths for each the present working listing and the system momentary listing utilizing Add-MpPreference.
- Set up a uncooked TCP connection to attacker-controlled infrastructure and difficulty a GET /home windows request to retrieve the next-stage payload.
- Write the acquired information to disk as an executable file within the system’s momentary listing.
- Execute the downloaded binary with a big, attacker-supplied argument string.
The Home windows payload retrieved in these assaults is a Rust-based UPX-packed binary with primary anti-analysis logic. The identical infrastructure hosted a corresponding “linux” binary, indicating that the assaults cowl each platforms.
There are roughly 3,500 uncovered React Native Metro servers uncovered on-line, in response to scans utilizing the ZoomEye search engine for related units, companies, and net functions.
Regardless of lively exploitation being noticed for over a month, the vulnerability nonetheless carries a low rating within the Exploit Prediction Scoring System (EPSS), a danger evaluation framework that estimates the probability of exploitation for a safety difficulty.
“Organizations can’t afford to attend for CISA KEV inclusion, vendor studies, or broad consensus earlier than taking motion,” the researchers say.
VulnCheck’s report contains indicators of compromise (IoCs) for the attacker community infrastructure in addition to Home windows and Linux payloads.
Trendy IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, find out how your group can cut back hidden handbook delays, enhance reliability by automated response, and construct and scale clever workflows on high of instruments you already use.
