Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.
On Windows, an unauthenticated attacker can leverage the security issue to execute arbitrary OS commands via a POST request. On Linux and macOS, the vulnerability can lead to running arbitrary executables with limited parameter control.
Metro is the default JavaScript bundler for React Native projects, and it is essential for building and running applications in the development stage.
By default, Metro can bind to external network interfaces and expose development-only HTTP endpoints (/open-url) for local use during development.
Researchers at software supply-chain security company JFrog discovered the flaw and disclosed it in early November. After the public disclosure, multiple proof-of-concept exploits emerged.
In a post at the time, they said that the issue was the /open-url HTTP endpoint accepting POST requests containing a user-supplied URL value that could be passed unsanitized to the ‘open()’ function.
The flaw affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2, and was fixed in version 20.0.0 and later.
On December 21, 2025, vulnerability intelligence company VulnCheck observed a threat actor exploiting CVE-2025-11953, dubbed Metro4Shell. The activity continued to deliver the same payloads on January 4th and 21st.
“Exploitation has delivered advanced payloads on both Linux and Windows, demonstrating that Metro4Shell provides a practical, cross-platform initial access mechanism” - VulnCheck
In all three attacks, the researchers observed the delivery of the same base-64 encoded PowerShell payloads hidden in the HTTP POST body of the malicious requests reaching exposed endpoints.
... continue reading