A severe security flaw in the React Native Metro development server — widely used by mobile developers — is being actively exploited in the wild, allowing attackers to compromise developer workstations, execute arbitrary code, and deploy malicious payloads.

What Is Affected?

The vulnerability, tracked as CVE-2025-11953, resides in the @react-native-community/cli package that powers the Metro bundler and development server — a core component in React Native application build workflows.

Metro is not merely a local tool: by default it can bind to external network interfaces, exposing HTTP endpoints intended only for developer use. This insecure configuration expands the attack surface beyond the host machine.

Vulnerability Mechanics

At its core, CVE-2025-11953 is an OS command injection / remote code execution (RCE) flaw with a critical severity, scoring CVSS 9.8, which means very limited prerequisites for exploitation.

Why It’s Dangerous

• Unauthenticated Access — Attackers do not require credentials.
• Remote Code Execution — A crafted HTTP request to a vulnerable Metro server can cause the system to run arbitrary commands.

The exposed endpoint (e.g., /open-url) was originally designed to assist with editing and debugging (opening source lines in editors). Due to insufficient input sanitization, user-controlled data winds up passed directly into system calls without filtering — effectively a classic command injection.

Real-World Exploitation

Although initial advisories treated CVE-2025-11953 as a latent risk, cybersecurity telemetry now shows actual exploitation:

• Exploitation activity was first identified in December 2025 and has recurred into early 2026.
• Multiple attacks deliver a multistage PowerShell loader, written to disable Microsoft Defender protections before pulling additional malicious binaries from attacker infrastructure.
• Payloads include cross-platform malware targeting both Windows and Linux hosts.

One observed pattern uses Base64-encoded PowerShell scripts hidden in HTTP POST bodies, which decode and execute a loader that establishes command-and-control connections and retrieves further payloads.

Affected Versions

The flaw affects versions of @react-native-community/cli-server-api from 4.8.0 through 20.0.0-alpha.2; it was fixed beginning with 20.0.0 and newer releases. However, many environments remain outdated and vulnerable.

Technical Impact

On Windows:

• An attacker can issue a POST request that results in arbitrary OS command execution via the Metro server’s exposed endpoints.

On Linux/macOS:

• While the level of parameter control varies, attackers can launch arbitrary executables — still giving significant control over developer systems.

Since development systems often contain source code, API keys, environment configurations, and connections to internal resources, exploitation can lead to credential theft, codebase tampering, and wider supply-chain compromise.

Why This Matters

This vulnerability differs from “normal” server RCE bugs:

• Unlike web server bugs limited to public production hosts, this one targets developer workstations and build environments.
• Developer systems are often less hardened, lack network isolation, and may inadvertently expose Metro servers to the wider network.
• Compromise at this stage can allow attackers to embed malware directly into applications during build/test phases — a classic software supply-chain attack.

Mitigation and Best Practices

Immediate Actions for Developers:

1. Upgrade to Metro versions 20.0.0 or above — the patch removes the vulnerable behavior.
2. Disable external binding of Metro when not absolutely necessary: explicitly bind to localhost only.
3. Network hardening: Block access to development servers from untrusted networks, and isolate development machines behind firewalls or VPNs.
4. Scan for exposed servers: Use internal tooling or security scanners to identify Metro instances bound to public or internal networks.
5. Monitor for Indicators of Compromise (IoCs): Look for unusual service binds or decoded PowerShell loader executions.

The Broader Ecosystem Context

This incident fits into a wider trend of development environment vulnerabilities being weaponized — alongside critical RCE bugs like React2Shell (CVE-2025-55182) in React Server Components where poor validation/deserialization allowed unauthenticated RCE across production servers.