Pierluigi Paganini
February 03, 2026
Attackers are actively exploiting a critical flaw in the React Native CLI Metro server, tracked as CVE-2025-11953. The React Native CLI’s Metro dev server binds to external interfaces by default and exposes a command injection flaw. Unauthenticated attackers can send POST requests to execute arbitrary programs, and on Windows can also run shell commands with fully controlled arguments.
“The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables.” reads the advisory. “On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.”
Metro is the JavaScript bundler and dev server used by React Native. By default it can expose an endpoint that lets unauthenticated attackers run OS commands on Windows.
VulnCheck researchers observed consistent, real-world attacks weeks before broad disclosure.
VulnCheck spotted real-world exploitation of CVE-2025-11953 (Metro4Shell) on December 21, 2025, and again in January, showing attackers kept using it. Despite this, the activity still lacks broad public attention and carries a low EPSS score. The gap is risky, since the flaw is easy to exploit and many exposed servers remain online.
“Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS continues to assign a low exploitation probability of 0.00405.” reads the advisory published by VulnCheck. “This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet.”
VulnCheck found active, sustained exploitation of CVE-2025-11953, showing it was used operationally rather than for testing. Attackers delivered a multi-stage, base64-encoded PowerShell loader via cmd.exe, disabled Microsoft Defender protections, fetched payloads over raw TCP, and executed a downloaded binary. The malware was a UPX-packed Rust payload with basic anti-analysis features.
The experts noted that attacks reused the same infrastructure and techniques for weeks. VulnCheck warns the lack of public acknowledgment risks leaving defenders unprepared, as exploitation often begins well before official recognition.
Below is the Network Infrastructure involved in the attacks:
| Indicator | Observed Role |
|---|---|
| 65.109.182.231 | Exploitation source |
| 223.6.249.141 | Exploitation source |
| 134.209.69.155 | Exploitation source |
| 8.218.43.248 | Payload host (Windows) |
| 47.86.33.195 | Payload host (Windows and Linux) |
“CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, React Native CLI)
