Hackers Exploit Critical React Native Metro Vulnerability (CVE-2025-11953) for Cross-Platform Attacks
A critical vulnerability in the Metro server for React Native (CVE-2025-11953) is being actively exploited by threat actors to deliver malicious payloads on Windows and Linux systems. The flaw, discovered by JFrog in early November 2025, allows unauthenticated attackers to execute arbitrary OS commands via a crafted POST request to the /open-url endpoint, which processes unsanitized user-supplied URLs.
Metro, the default JavaScript bundler for React Native, is widely used in development environments and binds to external network interfaces by default, exposing HTTP endpoints. The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2, with a patch released in version 20.0.0.
Exploitation Timeline & Attack Details
On December 21, 2025, vulnerability intelligence firm VulnCheck identified active exploitation of the flaw dubbed Metro4Shell with follow-up attacks observed on January 4 and 21, 2025. The threat actor delivered base-64 encoded PowerShell payloads via HTTP POST requests, targeting exposed Metro servers.
Once executed, the payloads:
- Disabled endpoint protections by adding Microsoft Defender exclusion paths.
- Established a raw TCP connection to attacker-controlled infrastructure to fetch a second-stage payload.
- Downloaded and executed a Rust-based UPX-packed binary with anti-analysis features, using an oversized argument string to evade detection.
The same infrastructure hosted payloads for both Windows and Linux, confirming cross-platform targeting. Scans using ZoomEye identified approximately 3,500 exposed Metro servers online, highlighting the potential attack surface.
Despite active exploitation, the vulnerability remains low-scoring in the Exploit Prediction Scoring System (EPSS), underscoring risks in relying solely on such metrics for prioritization. VulnCheck’s report includes indicators of compromise (IoCs) for the attacker’s infrastructure and payloads.
Callstack cybersecurity rating report: https://www.rankiteo.com/company/callstack
"id": "CAL1770166797",
"linkid": "callstack",
"type": "Cyber Attack",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology',
'type': 'Development Environments'}],
'attack_vector': 'HTTP POST request to `/open-url` endpoint',
'date_detected': '2025-11-01',
'date_publicly_disclosed': '2025-12-21',
'description': 'A critical vulnerability in the Metro server for React Native '
'(CVE-2025-11953) is being actively exploited by threat actors '
'to deliver malicious payloads on Windows and Linux systems. '
'The flaw allows unauthenticated attackers to execute '
'arbitrary OS commands via a crafted POST request to the '
'`/open-url` endpoint, which processes unsanitized '
'user-supplied URLs. The vulnerability affects '
'@react-native-community/cli-server-api versions 4.8.0 through '
'20.0.0-alpha.2, with a patch released in version 20.0.0.',
'impact': {'systems_affected': 'Windows, Linux'},
'initial_access_broker': {'entry_point': 'Exposed Metro servers'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Patch to version 20.0.0, '
'restrict network access to '
'Metro servers',
'root_causes': 'Unsanitized user-supplied URLs in '
'`/open-url` endpoint, default '
'binding to external network '
'interfaces'},
'recommendations': 'Patch affected systems to '
'@react-native-community/cli-server-api version 20.0.0. '
'Monitor for exposed Metro servers and restrict network '
'access to development environments.',
'references': [{'source': 'JFrog'}, {'source': 'VulnCheck'}],
'response': {'remediation_measures': 'Patch to '
'@react-native-community/cli-server-api '
'version 20.0.0',
'third_party_assistance': 'JFrog, VulnCheck'},
'title': 'Hackers Exploit Critical React Native Metro Vulnerability '
'(CVE-2025-11953) for Cross-Platform Attacks',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-11953'}