cbcvebase.
CVE-2025-11953
published 2025-11-03

CVE-2025-11953: The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-02-26
Exploited in the wild
EPSS
61.94%
99.1th percentile
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.

Affected

9 ranges
VendorProductVersion rangeFixed in
react-native-communitycli>= 18.0.0 < 18.0.118.0.1
react-native-communitycli>= 19.0.0-alpha.0 < 19.1.219.1.2
react-native-communitycli>= 20.0.0-alpha.0 < 20.0.020.0.0
react-native-communitycli-server-api>= 18.0.0 < 18.0.118.0.1
react-native-communitycli-server-api>= 19.0.0-alpha.0 < 19.1.219.1.2
react-native-communitycli-server-api>= 20.0.0-alpha.0 < 20.0.020.0.0
react-native-communityreact_native_community_cli
react-native-communityreact_native_community_cli
react-native-communityreact_native_community_cli>= 19.0.0 < 19.1.219.1.2

Detection & IOCsextracted from sources · hover to see the quote

urlGET /windows
otherRust-based UPX-packed binary (Windows next-stage payload)
  • Monitor for inbound HTTP POST requests to the /open-url endpoint on Metro development server ports; any external POST to this endpoint is anomalous and indicative of CVE-2025-11953 exploitation.
  • Detect base-64 encoded PowerShell payloads delivered in HTTP POST body to Metro server endpoints; decode and inspect for Add-MpPreference Defender exclusion commands and outbound TCP connections.
  • Hunt for approximately 3,500 internet-exposed React Native Metro servers using ZoomEye or similar EASM tools; prioritize patching or network-level blocking for any externally reachable Metro instances.
  • Check Point IPS signature 'React Native Community CLI Command Injection (CVE-2025-11953)' can be used as a detection reference for network-level blocking.
  • Exploitation activity (dubbed Metro4Shell) was first observed December 21, 2025, with follow-on waves on January 4 and January 21; use these dates to scope retrospective log hunting.
  • ·The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 only; version 20.0.0 and later are patched. Scope detection and patching efforts accordingly.
  • ·Exploitation complexity on Linux is significantly higher than on Windows; on Linux/macOS the attacker can only trigger pre-installed executables accessible to the affected program, whereas on Windows full arbitrary shell command execution with controlled arguments is possible.
  • ·Metro binds to external interfaces by default during development; this is a design default, not a misconfiguration, meaning any developer machine running Metro without firewall restrictions is exposed.
  • ·Despite active in-the-wild exploitation observed since December 2025, the vulnerability carries a low EPSS score; do not rely on EPSS or CISA KEV inclusion as the sole trigger for remediation prioritization.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.