Threat actors are actively delivering sophisticated malware payloads on Windows and Linux systems by taking advantage of a critical remote code execution vulnerability in React Native's Metro Development Server This article explores vulnerability react native. . The operational exploitation of CVE-2025-11953, also known as "Metro4Shell," was first discovered by VulnCheck's Canary honeypot network on December 21, 2025, and ongoing attacks were noted in January 2026.

Despite the vulnerability's seriousness, public security discourse has largely ignored it. The Metro Development Server, which comes with the @react-native-community/cli npm package and is a fundamental tool for developing React Native applications, is impacted by CVE-2025-11953. Learn more about LastPass Cybersecurity for safe web hosting Security of computers Solutions for data security Subscription to cybersecurity news Cybersecurity Software for vulnerability scanners Tools for ethical hacking The Complete Guide to Overcoming Endpoint Detection Systems: How to Avoid EDR.

The default configuration of the server, which binds to external network interfaces and exposes a /open-url, is the source of the vulnerability. An OS command injection vulnerability exists on the endpoint. Mitigations To fix the vulnerability, organizations utilizing React Native development environments need to update right away to @react-native-community/cli version 20.0.0 or higher.

Versions 4.8.0 through 20.0.0-alpha are impacted by the vulnerability.Two. Regardless of its initial purpose, development infrastructure must be regarded as a production-grade attack surface. Network segmentation should separate development environments from internet-accessible interfaces, and Metro Development Servers should never be connected to untrusted networks. A crucial pattern that defenders are still learning is reinforced by CVE-2025-11953: exploitation starts as soon as vulnerable systems are accessible, not when authoritative catalogs recognize the threat.