A critical security flaw in the React Native Metro development server, tracked as CVE-2025-11953, is now being actively exploited by attackers to breach developer workstations and delivery systems on both Windows and Linux machines. What was once considered a “theoretical” vulnerability has now proven itself a real risk in the wild, with attackers delivering malicious payloads that compromise developer infrastructure.

What Is Metro and Why It Matters

Metro is the default JavaScript bundler and development server used by projects built with React Native, a widely adopted framework for building mobile applications with JavaScript. During development, Metro serves application code to emulators, devices, and local clients. When developers start Metro with commands such as npm start, npx react-native start, or similar, it launches an HTTP server that listens for development requests and debug actions.

Because Metro is critical in the developer lifecycle, any flaw in its code can have a broad impact on developer systems, build servers, and continuous integration environments.

About the Vulnerability: CVE-2025-11953

The issue resides specifically in the @react-native-community/cli-server-api package, affecting versions 4.8.0 through 20.0.0-alpha.2. The flaw stems from how the Metro server handles input on its /open-url HTTP endpoint. When this endpoint receives a POST request, it takes a user-supplied URL parameter and passes it unsanitized into the unsafe open() function (an external Node.js module), which ultimately triggers operating system actions.

The combination of unsanitized input and a default configuration that binds the Metro server to all network interfaces means that unauthenticated attackers can send crafted requests over the network and trigger remote code execution (RCE) on developer systems. This is particularly concerning because most development setups assume local-only access, not remote reach.

Active Exploitation: Metro4Shell

Security researchers at vulnerability intelligence firm VulnCheck gave this flaw a name — Metro4Shell — after observing active exploitation in the wild starting in late December 2025, with sustained activity through January 2026.

Attackers have used Metro4Shell to deliver multi-stage payloads that leverage the weakness to breach systems and gain footholds:

1. Endpoint Defense Disabling – The initial payload first disables endpoint detection and response protections by modifying Microsoft Defender exclusion lists to ignore the Metro server’s current working directory and temporary folders, increasing persistence and evasion.
2. Command & Control Contact – It then establishes a raw TCP connection with attacker-controlled infrastructure to request further instructions, using simple GET requests like GET /windows to retrieve the next payload stage.
3. Payload Deployment – This payload is written to disk as a binary file and then executed with attacker-controlled arguments.
4. Cross-Platform Coverage – Researchers observed attackers maintaining both Windows and Linux binaries, indicating an intent to target development environments regardless of operating system.

The Windows payload observed in current attacks is a UPX-packed Rust binary with basic anti-analysis logic, suggesting its authors are attempting to obscure its functionality while hindering security analysis.

How Many Systems Are Exposed?

Network scanning tools such as ZoomEye have identified roughly 3,500 Metro servers exposed on the public internet, meaning a non-trivial number of development machines and CI environments are potentially reachable by attackers.

This exposure is concerning given that developer systems are often tightly integrated with code repositories, build pipelines, secret keys, and other sensitive infrastructure assets.

Mitigation and Fixes

The vulnerability was patched in version 20.0.0 of the affected package, so the primary mitigation is upgrading all projects and global installations of @react-native-community/cli-server-api to version 20.0.0 or later.

For environments where updating is difficult or where developers want an additional layer of protection, it is recommended to:

• Bind the Metro development server explicitly to localhost using --host 127.0.0.1, ensuring it does not listen on external network interfaces.
• Restrict access to development ports through firewalls, VPNs, or local network segmentation.
• Monitor network traffic for unusual POST requests to the /open-url endpoint or unexpected outbound connections to unfamiliar infrastructure.
• Scan CI/CD systems and developer workstations for indicators of compromise following IOCs published by threat intelligence firms.

The Bigger Picture

CVE-2025-11953 shows how even tools meant for local development can become attack vectors when their defaults are insecure. Historically, developers have prioritized ease of use over security, often assuming development tools are isolated. However, as this incident demonstrates, development infrastructure can quickly become production risk if exposed unnecessarily.

As supply chain security continues to be a focus for software organizations, incidents like Metro4Shell highlight the importance of continuous dependency scanning, secure defaults, and proactive patch management to reduce risk before vulnerabilities turn into active breaches.