Hackers Exploit Critical React Native Metro Bug to Breach Dev Systems
Summary:
Metro4Shell (CVE-2025-11953) is a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, affecting the Metro Development Server within the widely used @react-native-community/cli npm package.
Recent observations by VulnCheck reveal that threat actors have been actively exploiting this flaw in the wild since December 2024. The exploit bypasses security assumptions by targeting internet-accessible development instances, allowing unauthenticated attackers to execute arbitrary operating system commands on the host machine.
Security Officer Comments:
The impact of Metro4Shell is severe, as it provides attackers with full system-level access to a developer's workstation or a build server. In observed attacks, threat actors have weaponized the flaw to deliver Base64-encoded PowerShell scripts that disable security measures, such as Microsoft Defender Antivirus exclusions for the working directory and temporary folders.
Once protections are neutralized, the attackers establish a raw TCP connection to a command-and-control (C2) server to download and execute a Rust-based binary. This binary contains sophisticated anti-analysis checks, indicating that the exploit is being used for operational intrusions, such as intellectual property theft or lateral movement, rather than mere proof-of-concept testing.
The affected product, React Native, is one of the most popular frameworks for building cross-platform mobile applications. Consequently, the vulnerability impacts a broad spectrum of organizations ranging from small startups to Fortune 500 enterprises. Software development firms, technology companies, and any business with an internal mobile app development team are at risk. Because the vulnerability resides in a core CLI component used during the development lifecycle, it affects any environment where developers are actively building, testing, or deploying React Native applications.
Managed Service Providers (MSPs) are significantly impacted by Metro4Shell, particularly those that offer software development services or manage DevOps infrastructure for their clients. MSPs often host build servers, CI/CD pipelines, and development environments that may be inadvertently exposed to the internet. If an MSP’s infrastructure is compromised through this vulnerability, it could serve as a gateway for supply chain attacks, allowing threat actors to inject malicious code into the applications of multiple downstream clients or pivot from the MSP’s management network into client environments.
Suggested Corrections:
The primary mitigation for Metro4Shell is to update the @react-native-community/cli package and the associated Metro server to the latest patched versions immediately.
Organizations should conduct a thorough audit of their networks to ensure that development servers are not exposed to the public internet; these servers should ideally be restricted to localhost or protected behind a VPN/Firewall with strict Access Control Lists (ACLs).
Additionally, security teams should hunt for Indicators of Compromise (IoCs), such as unusual PowerShell execution, unauthorized changes to Microsoft Defender exclusions, and outbound connections to suspicious IP addresses (e.g., 8[.]218[.]43[.]248 or 134[.]209[.]69[.]155).
Link(s):
https://www.vulncheck.com/blog/metro4shell_eitw
Metro4Shell (CVE-2025-11953) is a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, affecting the Metro Development Server within the widely used @react-native-community/cli npm package.
Recent observations by VulnCheck reveal that threat actors have been actively exploiting this flaw in the wild since December 2024. The exploit bypasses security assumptions by targeting internet-accessible development instances, allowing unauthenticated attackers to execute arbitrary operating system commands on the host machine.
Security Officer Comments:
The impact of Metro4Shell is severe, as it provides attackers with full system-level access to a developer's workstation or a build server. In observed attacks, threat actors have weaponized the flaw to deliver Base64-encoded PowerShell scripts that disable security measures, such as Microsoft Defender Antivirus exclusions for the working directory and temporary folders.
Once protections are neutralized, the attackers establish a raw TCP connection to a command-and-control (C2) server to download and execute a Rust-based binary. This binary contains sophisticated anti-analysis checks, indicating that the exploit is being used for operational intrusions, such as intellectual property theft or lateral movement, rather than mere proof-of-concept testing.
The affected product, React Native, is one of the most popular frameworks for building cross-platform mobile applications. Consequently, the vulnerability impacts a broad spectrum of organizations ranging from small startups to Fortune 500 enterprises. Software development firms, technology companies, and any business with an internal mobile app development team are at risk. Because the vulnerability resides in a core CLI component used during the development lifecycle, it affects any environment where developers are actively building, testing, or deploying React Native applications.
Managed Service Providers (MSPs) are significantly impacted by Metro4Shell, particularly those that offer software development services or manage DevOps infrastructure for their clients. MSPs often host build servers, CI/CD pipelines, and development environments that may be inadvertently exposed to the internet. If an MSP’s infrastructure is compromised through this vulnerability, it could serve as a gateway for supply chain attacks, allowing threat actors to inject malicious code into the applications of multiple downstream clients or pivot from the MSP’s management network into client environments.
Suggested Corrections:
The primary mitigation for Metro4Shell is to update the @react-native-community/cli package and the associated Metro server to the latest patched versions immediately.
Organizations should conduct a thorough audit of their networks to ensure that development servers are not exposed to the public internet; these servers should ideally be restricted to localhost or protected behind a VPN/Firewall with strict Access Control Lists (ACLs).
Additionally, security teams should hunt for Indicators of Compromise (IoCs), such as unusual PowerShell execution, unauthorized changes to Microsoft Defender exclusions, and outbound connections to suspicious IP addresses (e.g., 8[.]218[.]43[.]248 or 134[.]209[.]69[.]155).
Link(s):
https://www.vulncheck.com/blog/metro4shell_eitw