Listen to this Post

A critical vulnerability in the Metro server for React Native, tracked as CVE-2025-11953, is actively being exploited by hackers to deliver malicious payloads to both Windows and Linux systems. This flaw exposes developers and organizations relying on React Native to severe risk, especially during the application development phase. Metro, the default JavaScript bundler for React Native, plays a vital role in building and running apps locally—but its design can leave endpoints exposed to attackers if not properly secured.
The vulnerability allows unauthenticated attackers on Windows to execute arbitrary operating system commands via a POST request. On Linux and macOS, attackers can run executables with limited parameter control. By default, Metro binds to external network interfaces and exposes development-only HTTP endpoints such as /open-url for local testing, which can be weaponized if accessible.
Security researchers at JFrog discovered CVE-2025-11953 in early November and disclosed it publicly, leading to multiple proof-of-concept exploits emerging online. The root cause lies in the /open-url endpoint, which accepts POST requests containing user-supplied URLs that are passed unsanitized to the open() function. This flaw affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 and has been patched in version 20.0.0 and later.
On December 21, 2025, vulnerability intelligence firm VulnCheck observed an attacker actively exploiting this flaw, naming the campaign Metro4Shell. Subsequent attacks occurred on January 4th and 21st. In all cases, the attackers delivered the same base64-encoded PowerShell payloads embedded in HTTP POST requests targeting exposed endpoints.
When executed, these payloads:
Disable endpoint protections by adding Microsoft Defender exclusion paths for the current directory and system temp folder.
Establish raw TCP connections to attacker-controlled servers to retrieve additional payloads.
Write and execute downloaded binaries on the local system, often with attacker-supplied arguments.
The Windows payload is a Rust-based UPX-packed binary with basic anti-analysis capabilities, while a corresponding Linux binary indicates a cross-platform attack strategy. Scans using the ZoomEye search engine show roughly 3,500 React Native Metro servers exposed online, providing ample targets.
Despite over a month of active exploitation, the vulnerability remains low on the Exploit Prediction Scoring System (EPSS). Security experts emphasize that organizations cannot afford to wait for formal advisories or consensus before taking preventive measures. VulnCheck’s report provides indicators of compromise (IoCs) for attacker infrastructure and payloads, helping defenders mitigate risks.
What Undercode Say:
Metro4Shell is a textbook example of how development tools, designed for local use, can become dangerous if exposed to the internet. Metro’s default behavior—binding to external interfaces and exposing endpoints—reflects a recurring theme in modern software: ease of use often comes at the cost of security.
Attackers exploiting this flaw are not performing theoretical experiments—they are delivering fully functional, multi-platform malware. The payloads are engineered to bypass basic endpoint protection, communicate with attacker-controlled servers, and install additional binaries, reflecting a high level of sophistication and planning. Rust-based Windows payloads and Linux counterparts demonstrate that threat actors are increasingly adopting cross-platform tooling, breaking the traditional “Windows-only” assumption in early-stage malware campaigns.
The presence of 3,500 exposed servers online shows that many developers may be running Metro in production or on improperly configured networks. This is a critical lapse, as Metro was never intended to be accessible publicly. Organizations need to audit development infrastructure, enforce network segmentation, and upgrade to patched versions immediately.
Furthermore, the low EPSS score is misleading. It reflects statistical likelihood based on prior exploitation trends, not the actual operational danger, which is clearly high given the real-world Metro4Shell attacks. Security teams should focus on defense-in-depth, monitoring for anomalous outbound TCP connections, unusual file writes, or unexpected PowerShell executions.
Metro4Shell also highlights the risks of supply-chain software vulnerabilities. Developers rarely scrutinize internal build tools for security, assuming that vulnerabilities in development-only servers are inconsequential. Metro4Shell proves otherwise: a single flaw in a development dependency can be an effective initial access vector for fully operational attacks.
In the broader context, Metro4Shell is a warning for modern IT infrastructure: automation and rapid development cycles are essential, but they must be paired with rigorous security hygiene. Exposed development servers, unpatched CLI tools, and default endpoint configurations create a perfect storm for exploitation.
Proactive measures include:
Ensuring Metro and React Native CLI tools are updated to the latest versions.
Restricting Metro endpoints to localhost and internal networks only.
Implementing network-level firewalls and endpoint monitoring.
Deploying automated alerts for anomalous POST requests to /open-url or similar endpoints.
Developers must treat build and testing environments with the same security mindset as production systems. Metro4Shell illustrates how attackers leverage development misconfigurations as entry points into broader IT ecosystems.
Fact Checker Results:
✅ CVE-2025-11953 affects Metro server for React Native and has been patched in version 20.0.0.
✅ Active exploitation of the vulnerability (Metro4Shell) observed on Windows and Linux platforms.
❌ The EPSS score being low does not reflect the actual risk of these attacks.
Prediction:
🚨 Metro4Shell is likely to inspire more cross-platform exploits targeting development dependencies.
⚠ Developers and IT teams ignoring development environment security will face increasing attacks.
✅ Organizations adopting proactive patching, endpoint monitoring, and network restrictions can mitigate the next wave of similar exploits.
If you want, I can also create a visual attack chain diagram for Metro4Shell showing Windows and Linux payload delivery—it would make the article more digestible for technical readers. Do you want me to do that?
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




