The critical vulnerability CVE-2025-11953, informally dubbed Metro4Shell, is being actively abused to compromise React Native development environments. Attackers are exploiting a flaw in the Metro server — the default JavaScript bundler for React Native — to deploy malicious payloads on Windows and Linux systems directly inside developer workstations and build environments.
What the React Native Metro server is and why it became a target
The Metro server is a development-time HTTP service used by React Native to bundle and serve JavaScript code to mobile apps. During development it starts a local HTTP server that can bind not only to localhost, but also to external network interfaces. This server exposes special HTTP endpoints intended strictly for local use by the developer tools.
The security issue emerges when this development service is reachable from outside the host machine — for example, due to misconfigured IDEs, VPNs, reverse proxies or cloud development environments. In such cases, the React Native Metro server effectively becomes a production-exposed attack surface. For an external attacker it is comparable in value to a vulnerable web application on the public internet, providing a direct entry point into corporate networks.
How CVE-2025-11953 (Metro4Shell) enables remote code execution
Researchers at JFrog identified CVE-2025-11953 in November 2025. They found that the Metro server’s /open-url endpoint accepts HTTP POST requests with arbitrary URLs and forwards the supplied data to an open() function without validation or sanitization. This design flaw allows an unauthenticated remote attacker to trigger remote code execution (RCE) under certain conditions.
Windows attacks: base64 PowerShell and UPX-packed Rust malware
Security company VulnCheck reported the first confirmed in-the-wild exploitation of Metro4Shell on 21 December 2025, with additional waves observed on 4 and 21 January. In these attacks, adversaries sent crafted HTTP POST requests to the vulnerable /open-url endpoint, embedding base64-encoded PowerShell scripts in the request body.
Once decoded and executed, the PowerShell script downloaded and ran a Windows payload: a UPX-packed Rust binary equipped with basic anti-analysis techniques such as code obfuscation, environment checks and behaviors intended to hinder static and dynamic analysis. Investigators also identified a similar Linux binary hosted on the same infrastructure, indicating a deliberately cross-platform attack campaign.
Linux and macOS exploitation: constrained but still dangerous
On Linux and macOS, exploitation of CVE-2025-11953 does not always permit fully arbitrary command-line execution with attacker-controlled arguments. However, it does provide the ability to launch executables. For a skilled adversary, this is sufficient to deploy staged loaders, cryptocurrency miners, remote access tools (RATs) or to establish an initial foothold for lateral movement across the network.
Affected versions and scale of exposure
The vulnerability affects the @react-native-community/cli-server-api package in versions 4.8.0 through 20.0.0-alpha.2. The flaw is patched in release 20.0.0, where the behavior of the /open-url endpoint was redesigned and URL handling was significantly hardened.
According to internet-wide banner search data from ZoomEye, approximately 3,500 React Native Metro servers are exposed to the public internet. These instances likely include both individual developer machines and environments operated by larger organizations building mobile applications with React Native. Each exposed Metro server represents a potential entry point into source code repositories, CI/CD pipelines and sensitive backend infrastructure.
Developer infrastructure as a high‑value attack vector
The significance of CVE-2025-11953 extends beyond this specific bug. It highlights a recurring pattern: once a development service is reachable from the internet, it must be treated as production infrastructure. Similar weaknesses have been repeatedly exploited in platforms such as Jenkins, GitLab runners and other CI/CD systems.
Major incidents over the past years — including compromises of build pipelines and CI tooling in the software supply chain — have shown that attackers increasingly target the development lifecycle rather than only customer-facing applications. Reports such as the Verizon Data Breach Investigations Report consistently note the role of misconfiguration and exposed internal services in enabling these attacks.
Development services are often configured “just to work,” without strong authentication, network segmentation or monitoring. Once a developer workstation or build agent is compromised, attackers can obtain source code, API tokens, SSH keys, VPN profiles and other secrets, using them to pivot deeper into cloud and on-premises environments.
Mitigation strategies for Metro4Shell and similar vulnerabilities
To reduce the risk of Metro4Shell exploitation and strengthen React Native security, organizations should combine several defensive measures:
1. Patch immediately. Update @react-native-community/cli-server-api to version 20.0.0 or later across all projects and build environments. Ensure lockfiles and CI images are rebuilt so that older vulnerable versions are not pulled in implicitly.
2. Restrict network exposure. Bind Metro servers strictly to 127.0.0.1 (localhost) and avoid exposing them directly to the internet or flat corporate networks. When remote access is required, prefer secure tunnels (for example, VPNs or SSH port forwarding) rather than open listening ports.
3. Enforce segmentation and Zero Trust principles. Treat development assets as high-value production systems. Isolate developer networks, apply least-privilege access controls and ensure that access to build servers, artifact repositories and source control is tightly governed and logged.
4. Monitor for abnormal activity. Deploy logging and detection rules to flag unusual HTTP requests to endpoints like /open-url, unexpected PowerShell invocations, sudden downloads of unknown binaries and anomalous outbound connections from developer hosts.
Metro4Shell underlines how quickly the line between “internal” developer tooling and “external” production services is disappearing. Treating development infrastructure as a second-class citizen for security is no longer a tolerable trade-off for convenience. Organizations that regularly audit exposed services, keep dependencies up to date and embed DevSecOps practices into everyday development workflows will be far better positioned to withstand the evolving wave of attacks targeting the React Native ecosystem and the wider software supply chain.
