Hackers Exploit Critical React Native Metro Vulnerability (CVE-2025-11953) for Cross-Platform Attacks
Hackers are actively exploiting CVE-2025-11953, a critical vulnerability in the Metro server for React Native, to deliver malicious payloads targeting Windows and Linux systems. The flaw, discovered by JFrog in early November 2025, allows unauthenticated attackers to execute arbitrary OS commands via a crafted POST request to the /open-url endpoint.
Metro, the default JavaScript bundler for React Native, is widely used in development environments. The vulnerability stems from unsanitized user-supplied URLs passed to the open() function, affecting @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2. A patch was released in version 20.0.0.
Exploitation Timeline & Impact
VulnCheck first observed attacks on December 21, 2025, with follow-up activity on January 4 and 21, 2025. Dubbed Metro4Shell, the campaign delivers base-64 encoded PowerShell payloads that:
- Disable Microsoft Defender protections by adding exclusion paths.
- Establish a raw TCP connection to attacker-controlled infrastructure.
- Download and execute a Rust-based UPX-packed binary with anti-analysis features.
The same infrastructure hosts payloads for both Windows and Linux, confirming cross-platform targeting. Scans via ZoomEye identified ~3,500 exposed Metro servers online.
Despite active exploitation, the vulnerability remains low-scoring in the Exploit Prediction Scoring System (EPSS), highlighting a gap in risk prioritization. VulnCheck’s report includes indicators of compromise (IoCs) for the attacker’s infrastructure and payloads.
VulnCheck cybersecurity rating report: https://www.rankiteo.com/company/vulncheck
JFrog cybersecurity rating report: https://www.rankiteo.com/company/jfrog-ltd
Hire React Native Developers cybersecurity rating report: https://www.rankiteo.com/company/react-native-developers
"id": "VULJFRREA1770209168",
"linkid": "vulncheck, jfrog-ltd, react-native-developers",
"type": "Vulnerability",
"date": "12/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Technology',
'location': 'Global',
'name': 'React Native Developers',
'type': 'Software Development'}],
'attack_vector': 'Unauthenticated POST request to /open-url endpoint',
'date_detected': '2025-11-01',
'date_publicly_disclosed': '2025-12-21',
'description': 'Hackers are actively exploiting CVE-2025-11953, a critical '
'vulnerability in the Metro server for React Native, to '
'deliver malicious payloads targeting Windows and Linux '
'systems. The flaw allows unauthenticated attackers to execute '
'arbitrary OS commands via a crafted POST request to the '
'/open-url endpoint. The vulnerability affects '
'@react-native-community/cli-server-api versions 4.8.0 through '
'20.0.0-alpha.2 and was patched in version 20.0.0.',
'impact': {'systems_affected': 'Windows, Linux'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Patch management, enhanced '
'input validation',
'root_causes': 'Unsanitized user-supplied URLs '
'passed to the open() function in '
'Metro server'},
'recommendations': 'Patch affected systems to '
'@react-native-community/cli-server-api version 20.0.0 or '
'later. Monitor for indicators of compromise (IoCs) '
'provided by VulnCheck.',
'references': [{'source': 'JFrog'}, {'source': 'VulnCheck'}],
'response': {'remediation_measures': 'Patch to '
'@react-native-community/cli-server-api '
'version 20.0.0'},
'title': 'Hackers Exploit Critical React Native Metro Vulnerability '
'(CVE-2025-11953) for Cross-Platform Attacks',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-11953'}