Hackers Exploiting React Native’s Metro Server in the Wild to Attack Developers

Threat actors are actively exploiting a critical remote code execution vulnerability in React Native’s Metro Development Server to deliver advanced malware payloads across Windows and Linux systems.

VulnCheck’s Canary honeypot network first detected operational exploitation of CVE-2025-11953 dubbed “Metro4Shell” on December 21, 2025, with continued attacks observed in January 2026, yet the vulnerability remains largely unrecognized in public security discourse despite its severity.

CVE-2025-11953 affects the Metro Development Server bundled with the @react-native-community/cli npm package, a cornerstone tool for React Native application development.

The vulnerability stems from the server’s default configuration, which binds to external network interfaces and exposes an /open-url The endpoint is vulnerable to OS command injection.

Security researchers at JFrog discovered that this endpoint passes user-controlled input directly to the unsafe open() function from the open npm package, enabling unauthenticated remote attackers to execute arbitrary shell commands.

On Windows systems, attackers gain full control over command execution with arbitrary arguments, while on macOS and Linux, they can launch executable files.

The vulnerability carries a CVSS score of 9.8, reflecting its critical severity, yet the Exploit Prediction Scoring System (EPSS) assigns it a mere 0.00405 probability of exploitation—a stark disconnect from observed reality.

Multi-Stage Attack Chain

VulnCheck’s analysis reveals that exploitation attempts were neither experimental nor exploratory, but rather demonstrated consistent operational deployment across multiple weeks.

The attacks employed a sophisticated multi-stage PowerShell-based loader delivered through cmd.exe, with the initial PowerShell payload base64-encoded to evade detection.

The decoded PowerShell script executes a deliberate attack sequence designed to establish persistence and evade endpoint security controls. First, it adds Microsoft Defender exclusion paths for both the current working directory and the Windows temporary directory, ensuring subsequent malicious activities bypass antivirus scanning.

The script then establishes a raw TCP connection to the attacker-controlled infrastructure, sending a GET /windows request to retrieve the next-stage payload.

The downloaded executable is written to the system’s temporary directory and executed with a lengthy argument string. Analysis revealed the binary as UPX-packed Rust-based malware that incorporates anti-analysis techniques, including runtime checks designed to hinder static inspection.

VulnCheck observed the same attack infrastructure hosting corresponding “linux” payloads, demonstrating the cross-platform nature of this campaign.

The most significant aspect of this campaign is the temporal disconnect between exploitation and public awareness. VulnCheck detected exploitation in December 2025 and added CVE-2025-11953 to its VulnCheck KEV (Known Exploited Vulnerabilities) catalog on the same day as initial detection.

However, as of late January 2026, public security discourse continues to frame the vulnerability as theoretical rather than an active intrusion vector.

This intelligence gap highlights a persistent challenge in vulnerability management: attackers do not wait for CISA KEV listings, vendor advisories, or security consensus before weaponizing flaws.

Developer tooling represents particularly attractive targets because these systems are widespread, inconsistently monitored, and rarely treated as production-grade attack surfaces.

JFrog published a root cause analysis in November 2025, followed by multiple proof-of-concept exploits appearing on GitHub. VulnCheck customers gained visibility into exploitation potential even earlier, in November, through exploits and Suricata detection rules developed by the VulnCheck Initial Access Intelligence team.

This proactive intelligence enabled deployment of detection logic across VulnCheck’s Canary network before widespread exploitation began.

Mitigations

Organizations using React Native development environments must immediately upgrade to @react-native-community/cli version 20.0.0 or later, which addresses the vulnerability. The vulnerability affects versions from 4.8.0 through 20.0.0-alpha.2.

Development infrastructure must be treated as a production-grade attack surface regardless of original intent. Metro Development Servers should never be exposed to untrusted networks, and network segmentation should isolate development environments from internet-accessible interfaces.

CVE-2025-11953 reinforces a critical pattern that defenders continue to relearn: exploitation begins the moment vulnerable systems become reachable, not when authoritative catalogs acknowledge the threat.

Organizations cannot afford to wait for consensus before implementing defensive measures against actively exploited vulnerabilities targeting developer workflows.

Indicators of Compromise

Network Infrastructure

IP Address	Role	Source
65.109.182.231	Exploitation source	VulnCheck Canary
223.6.249.141	Exploitation source	VulnCheck Canary
134.209.69.155	Exploitation source	VulnCheck Canary
8.218.43.248	Payload host (Windows)	VulnCheck Canary
47.86.33.195	Payload host (Windows/Linux)	VulnCheck Canary

File Hashes

SHA-256 Hash	Description	Source
d8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6	UPX-packed Windows payload	VulnCheck Analysis
7ecbb0cc88dfa5f187c209a28bd25e8e2d5113bb898a91ae273bca5983130886	Unpacked Windows payload (Rust binary)	VulnCheck Analysis

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Exploiting React Native’s Metro Server in the Wild to Attack Developers appeared first on Cyber Security News.