Hackers exploit critical React Native Metro bug to breach dev systems CVE-2025-11953

Estimated reading time: 6 minutes

Key Takeaways:

  • CVE-2025-11953 allows unauthenticated attackers to execute arbitrary code via the Metro server’s /open-url endpoint.
  • Windows systems are especially vulnerable to command injection, while Linux and macOS face unauthorized executable launches.
  • The “Metro4Shell” campaign has been active since late 2025, delivering multi-stage Rust-based payloads and disabling security controls.
  • Security teams must update to Metro version 20.0.0 or later and restrict network binding to prevent exposure.

Table of Contents:

Technical Analysis of CVE-2025-11953 and the Metro Server

The cybersecurity threat environment recently shifted focus toward developer infrastructure, as hackers exploit critical React Native Metro bug to breach dev systems through CVE-2025-11953. This vulnerability, identified in the Metro server-the default JavaScript bundler for React Native-allows unauthenticated attackers to execute arbitrary commands or launch malicious executables on development machines. Initial reports from security researchers indicate that threat actors are actively utilizing this flaw to deliver multi-stage payloads across Windows, Linux, and macOS platforms.

Metro serves as the essential infrastructure for React Native development, responsible for bundling JavaScript code and managing the development server. By default, Metro binds to network interfaces to facilitate local development. However, many configurations expose development-only HTTP endpoints to the broader network. The specific flaw resides in the /open-url HTTP endpoint.

This endpoint was designed to accept POST requests containing a user-supplied URL intended for local use. Research confirms that the input provided to this endpoint is passed unsanitized to the open() function. On Windows systems, this lack of sanitization allows an unauthenticated attacker to execute arbitrary OS commands by sending a specifically crafted POST request. On Linux and macOS systems, the vulnerability allows the execution of arbitrary executables, although with more limited parameter control than seen on Windows.

Developer workstation targeted by CVE-2025-11953 exploit

The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2. While version 20.0.0 and subsequent releases contain a fix, thousands of instances remain unpatched and exposed. Search engine data from ZoomEye indicates approximately 3,500 React Native Metro servers are currently accessible via the public internet, providing a significant attack surface for threat actors seeking initial access to corporate networks through developer workstations.

Exploitation Patterns: The Metro4Shell Campaign

Since late December 2025, security intelligence has tracked a specific campaign dubbed “Metro4Shell.” This activity involves the delivery of advanced payloads targeting both Windows and Linux environments. The attack chain typically begins with a malicious HTTP POST request directed at the /open-url endpoint of an exposed Metro server.

Windows Payload Mechanics

In the observed Metro4Shell attacks, the POST body contains base64-encoded PowerShell scripts. Once the Metro server processes the request and executes the command, the PowerShell payload performs several automated steps:

  • Endpoint Protection Interference: The script executes Add-MpPreference to add Microsoft Defender exclusion paths. These exclusions typically cover the current working directory and the system’s temporary directory, ensuring that subsequent malicious files are not flagged by local antivirus.
  • C2 Communication: The payload establishes a raw TCP connection to attacker-controlled infrastructure. It sends a GET /windows request to a staging server to retrieve a second-stage payload.
  • Binary Execution: The second-stage payload is a Rust-based, UPX-packed executable. This binary is written to the system’s temporary directory and executed with a large string of attacker-supplied arguments. The use of Rust and UPX packing suggests an intentional effort to bypass static analysis and signature-based breach detection.

Linux and macOS Payloads

While the Windows exploitation path is more direct via command injection, the Linux and macOS variants are equally potent. Attackers use the vulnerability to launch local binaries or downloaded scripts. Analysis of the attacker infrastructure revealed a corresponding linux binary, demonstrating that the threat actors maintain cross-platform capabilities. This breadth of targeting is a core component of modern supply-chain risk monitoring.

Comparative Risk: React Server Components and CVE-2025-55182

The exploitation of Metro servers occurs alongside another significant threat within the React ecosystem: CVE-2025-55182. This vulnerability affects React Server Components and carries a CVSS score of 10.0. Unlike the Metro bug, which primarily targets development environments, CVE-2025-55182 targets production servers through a pre-authentication remote code execution flaw.

Telemetry data shows a massive consolidation of exploitation attempts for CVE-2025-55182. In a single seven-day window, over 1.4 million exploitation attempts were recorded. Two specific IP addresses (193.142.147[.]209 and 87.121.84[.]24) accounted for over 56% of this traffic. These actors are deploying XMRig cryptominers and establishing reverse shells on port 12323.

The overlap in targeting between development tools (Metro) and framework components (React Server Components) suggests that attackers are viewing the entire JavaScript development and deployment lifecycle as a high-value target.

Organizations relying on these frameworks must recognize that their development environments are no longer secondary targets; they are primary gateways for supply-chain risk monitoring and initial access.

Strategic Implications for Developer Security

The exploitation of CVE-2025-11953 underscores a critical gap in many corporate security strategies: the relative lack of protection for developer workstations compared to production environments. Developers often require administrative privileges and the ability to run unverified code, making their systems ideal targets for lateral movement.

The Metro4Shell campaign demonstrates that hackers are proficient in identifying these niche development tools. By targeting Metro, they gain access to systems that likely contain source code, API keys, and access credentials for cloud environments. This highlights the necessity for a comprehensive cyber threat intelligence platform that monitors not just production vulnerabilities, but also the tools used in the build process.

Furthermore, the low Exploit Prediction Scoring System (EPSS) score for CVE-2025-11953, despite active exploitation, indicates that traditional risk scoring may fail to account for the speed of modern exploit adoption. Organizations cannot rely solely on publicized vulnerability scores to prioritize patching. Utilizing real-time ransomware intelligence and live ransomware API feeds can provide more accurate data on what is actually being exploited in the wild.

Technical Mitigations and Takeaways

To address the risks posed by CVE-2025-11953 and similar vulnerabilities in the development stack, technical teams should implement the following measures:

Immediate Remediation

  • Update Metro: Ensure that @react-native-community/cli-server-api is updated to version 20.0.0 or later. This should be enforced across all developer machines and CI/CD pipelines.
  • Restrict Host Binding: Configure Metro to bind only to 127.0.0.1 (localhost) rather than 0.0.0.0. This prevents the server from being accessible over the network.
  • Audit Exposed Ports: Use internal scanning tools to identify any developer machines exposing ports 8081 (default Metro port), 3000, 3001, or 8080 to the network.

Network and Infrastructure Defense

  • Egress Filtering: Block outbound connections from developer workstations to unknown external IPs on raw TCP ports. The Metro4Shell campaign relies on the ability to fetch second-stage payloads via raw TCP.
  • Endpoint Monitoring: Monitor for the use of Add-MpPreference in PowerShell logs. This is a high-fidelity indicator of an attempt to disable security controls.
  • Implement Micro-segmentation: Isolate developer environments from the rest of the corporate network to prevent lateral movement if a workstation is compromised.

Intelligence-Driven Security

  • Monitor Dark Web Activity: Utilize a dark web monitoring service to identify if your organization’s internal credentials or source code have been leaked following a developer system breach.
  • Track Underground Forums: Many exploits for development tools are shared first in closed communities. Accessing underground forum intelligence can provide early warning of new attack vectors.
  • Leverage Alerting Services: Implement brand leak alerting and telegram threat monitoring to stay informed about threat actors discussing specific vulnerabilities or targets related to your industry.

PurpleOps Services and Enterprise Protection

The exploitation of React Native Metro highlights the complexity of modern supply chain security. As developers integrate more third-party tools into their workflows, the potential for “shadow IT” in the form of insecure development servers increases. PurpleOps provides the expertise and tools necessary to secure these often-overlooked areas of IT infrastructure.

Our cyber threat intelligence platform is designed to give organizations visibility into the threats targeting their specific technology stack. Whether it is a framework vulnerability like CVE-2025-11953 or a broader supply chain attack, our intelligence feeds provide the context needed for rapid response.

For organizations concerned about the integrity of their software development lifecycle, PurpleOps offers specialized supply-chain risk monitoring. This service audits the tools and dependencies used by your engineering teams, ensuring that vulnerabilities in bundlers, compilers, and libraries do not become entry points for adversaries.

In addition to proactive monitoring, PurpleOps provides advanced penetration testing and red team operations. Our teams simulate the tactics used by the Metro4Shell actors to test your organization’s breach detection capabilities and incident response readiness. By identifying these gaps before a real attacker does, we help you secure your most critical assets.

For more information on how to protect your development infrastructure from emerging threats, explore our platform or contact our security experts today. We provide the tools and intelligence required to navigate the current cybersecurity environment and maintain the integrity of your digital operations.

Frequently Asked Questions

What is CVE-2025-11953?
It is a critical vulnerability in the React Native Metro bundler that allows unauthenticated attackers to execute arbitrary code or commands on a developer’s machine via an unsanitized HTTP endpoint.

How do attackers exploit the Metro server?
Attackers send a specially crafted HTTP POST request to the /open-url endpoint. Because the input is passed unsanitized to the system’s open function, it can trigger command execution on Windows or launch executables on Linux/macOS.

What is the “Metro4Shell” campaign?
Metro4Shell is an active cyber campaign targeting exposed Metro servers. It typically involves disabling local antivirus (Microsoft Defender) and delivering Rust-based malware to establish command-and-control (C2) persistent access.

Which versions of Metro are vulnerable?
The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2. Any version below 20.0.0 should be considered at risk.

How can I protect my organization?
Immediately update Metro dependencies to version 20.0.0+, ensure the Metro server binds only to 127.0.0.1, and implement strict egress filtering on developer workstations to block unauthorized C2 communications.