Executive Summary
In late 2025, a critical vulnerability (CVE-2025-11953) was discovered in the Metro Development Server used by React Native. This flaw allowed unauthenticated attackers to execute arbitrary OS commands on developer systems via a POST request to the server's /open-url endpoint. The vulnerability affected versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package and was patched in version 20.0.0. Exploitation was observed in December 2025 and January 2026, with attackers delivering advanced payloads on both Windows and Linux platforms, leading to potential system compromise and data exfiltration.
This incident underscores the critical importance of securing development environments and promptly applying patches to known vulnerabilities. The ease of exploitation and the widespread use of React Native in the development community highlight the need for vigilant security practices to prevent similar supply-chain attacks in the future.
Why This Matters Now
The exploitation of CVE-2025-11953 demonstrates the ongoing risk of supply-chain attacks targeting development tools. Developers must ensure their environments are secure and up-to-date to prevent unauthorized access and potential data breaches.
Attack Path Analysis
Attackers exploited CVE-2025-11953 in the Metro Development Server to gain initial access to developer systems. They then executed PowerShell scripts to disable endpoint protections and establish persistence. Subsequently, they moved laterally within the network to access additional resources. The attackers established command and control channels to communicate with compromised systems. They exfiltrated sensitive data from the developer environments. Finally, they deployed malware to disrupt operations and maintain control over the systems.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited CVE-2025-11953 in the Metro Development Server to gain unauthorized access to developer systems.
Related CVEs
CVE-2025-11953
CVSS 9.8The Metro Development Server in the React Native Community CLI binds to external interfaces by default, exposing an endpoint vulnerable to OS command injection, allowing unauthenticated attackers to execute arbitrary commands on the host system.
Affected Products:
React Native Community CLI – 4.8.0 through 20.0.0-alpha.2
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Windows Command Shell
Command and Scripting Interpreter: Unix Shell
Exploitation for Client Execution
Impair Defenses: Disable or Modify Tools
Ingress Tool Transfer
Hijack Execution Flow: DLL Side-Loading
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Access Privileges
Control ID: 500.07
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – User Authentication and Authorization
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct exposure through React Native development environments with 3,500+ vulnerable Metro servers enabling supply-chain attacks targeting developer systems and code repositories.
Information Technology/IT
Critical infrastructure risk from CVE-2025-11953 exploitation allowing remote code execution on development systems, compromising CI/CD pipelines and enterprise applications.
Financial Services
High-value target for supply-chain attacks through compromised mobile banking applications built with React Native, risking customer data and regulatory compliance violations.
Health Care / Life Sciences
HIPAA compliance threats from mobile health application development compromises, potentially exposing patient data through tainted React Native development environments and deployments.
Sources
- Hackers exploit critical React Native Metro bug to breach dev systemshttps://www.bleepingcomputer.com/news/security/hackers-exploit-critical-react-native-metro-bug-to-breach-dev-systems/Verified
- CVE-2025-11953 | INCIBE-CERT | INCIBEhttps://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2025-11953Verified
- Metro4Shell: Exploitation of React Native’s Metro Server in the Wild | Blog | VulnCheckhttps://www.vulncheck.com/blog/metro4shell_eitwVerified
- Millions of developers could be open to attack after critical flaw exploited - here's what we knowhttps://www.techradar.com/pro/security/millions-of-developers-could-be-open-to-attack-after-critical-flaw-exploited-heres-what-we-knowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's lateral movement and data exfiltration by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities may have been constrained by identity-aware policies and workload isolation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may have been constrained by strict segmentation policies limiting access to critical systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been constrained by monitoring and controlling east-west traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control communications may have been constrained by comprehensive visibility and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been constrained by strict egress policies and monitoring.
The attacker's ability to deploy and execute malware may have been constrained by enforced segmentation and traffic controls.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD) Pipelines
- Source Code Management
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of proprietary source code and developer credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Upgrade the React Native Community CLI to version 20.0.0 or later to patch CVE-2025-11953.
- • Restrict the Metro Development Server to bind only to localhost to prevent unauthorized external access.
- • Implement Zero Trust Segmentation to limit lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
