Hackers are actively exploiting a severe flaw, designated CVE-2025-11953, in the React Native Metro development server. This vulnerability allows them to deliver harmful software to both Windows and Linux developer machines. On Windows systems, attackers can run any operating system command remotely without authentication.
The flaw resides in a development-only HTTP endpoint called /open-url which accepts external connections by default. It improperly passes unsanitized user input to a system function, creating the security weakness. Software supply chain researchers at JFrog originally discovered and publicized this bug in early November.
Following that disclosure, practical exploit demonstrations began circulating online. A threat actor was seen actively using this exploit, named Metro4Shell, starting in late December 2025 and continuing into January. Their attacks delivered sophisticated payloads capable of operating across different platforms.
In these incidents, attackers sent malicious PowerShell commands hidden within HTTP requests. Once activated, these commands perform several intrusive actions. They first disable security software by adding exclusions to Microsoft Defender. Next, they connect to the attacker's server to download a secondary malicious program, which is then saved and executed on the compromised system.
The final payload is a packed Rust-based binary with anti-analysis features, and a Linux version also exists. Scans indicate that around 3,500 React Native Metro servers remain publicly accessible on the internet, presenting a significant attack surface. Despite over a month of confirmed active exploitation, this vulnerability still receives a surprisingly low risk score in common threat prediction models.
Security experts emphasize that organizations must act promptly to patch this issue and should not wait for formal mandates. Indicators of compromise related to these attacks have been published to aid in detection.
Read more...