Hackers are actively targeting software developers by exploiting a critical vulnerability in the Metro server for React Native, tracked as CVE-2025-11953, to deliver malicious payloads on Windows and Linux systems.
The flaw affects Metro, the default JavaScript bundler used during React Native application development. By default, Metro can bind to external network interfaces and expose development-only HTTP endpoints, including /open-url, which are intended for local use.
Researchers found that the endpoint improperly accepts POST requests containing a user-supplied URL that is passed unsanitized to the underlying open() function.
On Windows systems, the vulnerability allows an unauthenticated attacker to execute arbitrary operating system commands via a crafted POST request. On Linux and macOS, exploitation can result in the execution of arbitrary binaries with limited control over parameters.
The issue was discovered by researchers at software supply-chain security firm JFrog and disclosed in early November. Following public disclosure, multiple proof-of-concept exploits appeared. The vulnerability impacts @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 and was resolved in version 20.0.0 and later.
On December 21, 2025, vulnerability intelligence company VulnCheck observed a threat actor actively exploiting CVE-2025-11953, which it dubbed “Metro4Shell.” The same activity was detected again on January 4 and January 21.
In all observed cases, attackers delivered base64-encoded PowerShell payloads concealed within the HTTP POST body sent to exposed Metro endpoints. Once decoded and executed, the payloads disabled endpoint protections by adding Microsoft Defender exclusion paths, established a raw TCP connection to attacker-controlled infrastructure to retrieve a second-stage payload, wrote the downloaded data to disk as an executable in the system’s temporary directory, and then executed it with a large, attacker-supplied argument string.
The Windows payload was identified as a Rust-based binary packed with UPX and equipped with basic anti-analysis techniques. The same infrastructure also hosted a corresponding Linux binary. Researchers estimate that approximately 3,500 exposed React Native Metro servers are currently accessible online, based on scans conducted using the ZoomEye search engine.