Threat actors have been actively exploiting a critical React Native vulnerability, tracked as CVE-2025-11953 and dubbed Metro4Shell, since late December 2025. Despite limited public attention, real-world attacks have already been observed. The flaw enables unauthenticated remote code execution on exposed React Native development servers, highlighting a recurring security failure: development infrastructure unintentionally exposed to the public internet.

CVE-2025-11953 affects the React Native Community CLI package (@react-native-community/cli), which supports roughly two million weekly downloads. The vulnerability resides in Metro, the JavaScript bundler and development server commonly used during React Native app development and testing.

Although development server vulnerabilities are often dismissed as low-risk due to assumed local-only exposure, recent warnings from JFrog and VulnCheck show that these assumptions no longer hold in modern cloud and CI/CD environments.

VulnCheck observed active exploitation attempts beginning on December 21, with additional activity on January 4 and January 21, indicating sustained operational use. Thousands of internet-accessible React Native development servers are believed to be exposed.

Despite the vulnerability being disclosed in early November 2025, public discourse continued to frame it as a theoretical issue rather than an active intrusion vector—creating a dangerous gap between awareness and exploitation.

Metro4Shell exists in Metro’s default behavior of binding to external network interfaces. When exposed, attackers can send unauthenticated POST requests that result in remote OS command execution.

Observed attacks deployed a multi-stage PowerShell loader that:

The final payload, written in Rust, included basic anti-analysis features and targeted both Windows and Linux systems, demonstrating cross-platform attacker intent.

Exploitation enables full system compromise, allowing attackers to:

Because Metro is commonly assumed to be “safe” for development use, many organizations fail to apply production-grade security controls, increasing exposure risk.

Metro4Shell reinforces a hard lesson defenders repeatedly relearn: any service reachable from the internet is production infrastructure, regardless of original intent. Development tools, CI pipelines, and test servers are increasingly targeted because they are often less monitored and poorly secured.

“CVE-2025-11953 is not remarkable because it exists,” VulnCheck notes. “It is remarkable because it reinforces a pattern defenders continue to relearn.”

The deliberate disabling of endpoint security before payload retrieval shows attackers anticipated defensive controls and engineered evasion into the earliest stages of execution.