Hackers are concentrating on builders by exploiting the essential vulnerability CVE-2025-11953 within the Metro server for React Native to ship malicious payloads for Home windows and Linux.
On Home windows, an unauthenticated attacker can leverage the security problem to execute arbitrary OS instructions by way of a POST request. On Linux and macOS, the vulnerability can result in operating arbitrary executables with restricted parameter management.
Metro is the default JavaScript bundler for React Native initiatives, and it’s important for constructing and operating functions within the improvement stage.
By default, Metro can bind to exterior community interfaces and expose development-only HTTP endpoints (/open-url) for native use throughout improvement.
Researchers at software program supply-chain security firm JFrog found the flaw and disclosed it in early November. After the general public disclosure, a number of proof-of-concept exploits emerged.
In a submit on the time, they stated that the difficulty was the /open-url HTTP endpoint accepting POST requests containing a user-supplied URL worth that may very well be handed unsanitized to the ‘open()’ perform.
The flaw impacts @react-native-community/cli-server-api variations 4.8.0 via 20.0.0-alpha.2, and was fastened in model 20.0.0 and later.
On December 21, 2025, vulnerability intelligence firm VulnCheck noticed a risk actor exploiting CVE-2025-11953, dubbed Metro4Shell. The exercise continued to ship the identical payloads on January 4th and twenty first.
“Exploitation has delivered superior payloads on each Linux and Home windows, demonstrating that Metro4Shell offers a sensible, cross-platform preliminary entry mechanism” – VulnCheck
In all three assaults, the researchers noticed the supply of the identical base-64 encoded PowerShell payloads hidden within the HTTP POST physique of the malicious requests reaching uncovered endpoints.
As soon as decoded and launched, the payloads carry out the next actions:
- Disable endpoint protections by including Microsoft Defender exclusion paths for each the present working listing and the system non permanent listing utilizing Add-MpPreference.
- Set up a uncooked TCP connection to attacker-controlled infrastructure and problem a GET /home windows request to retrieve the next-stage payload.
- Write the acquired knowledge to disk as an executable file within the system’s non permanent listing.
- Execute the downloaded binary with a big, attacker-supplied argument string.
The Home windows payload retrieved in these assaults is a Rust-based UPX-packed binary with fundamental anti-analysis logic. The identical infrastructure hosted a corresponding “linux” binary, indicating that the assaults cowl each platforms.
There are roughly 3,500 uncovered React Native Metro servers uncovered on-line, in line with scans utilizing the ZoomEye search engine for linked gadgets, providers, and internet functions.
Regardless of lively exploitation being noticed for over a month, the vulnerability nonetheless carries a low rating within the Exploit Prediction Scoring System (EPSS), a danger evaluation framework that estimates the chance of exploitation for a security problem.
“Organizations can’t afford to attend for CISA KEV inclusion, vendor stories, or broad consensus earlier than taking motion,” the researchers say.
VulnCheck’s report contains indicators of compromise (IoCs) for the attacker community infrastructure in addition to Home windows and Linux payloads.
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, learn the way your crew can scale back hidden handbook delays, enhance reliability via automated response, and construct and scale clever workflows on prime of instruments you already use.
