Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-11953 (Metro4Shell) in React Native Metro Server Enables RCE
Feb 04, 2026
5 Mins Read
Moon

CVE-2025-11953 (Metro4Shell) in React Native Metro Server Enables RCE

A critical security flaw in the React Native Community CLI Metro development server has drawn attention following confirmed real-world exploitation in late December 2025 and January 2026, alongside the public circulation of multiple Proof-of-Concept (PoC) exploits.

Tracked as CVE-2025-11953 and also referred to as Metro4Shell, the vulnerability allows unauthenticated operating system command execution under specific exposure conditions. The issue does not directly impact production React Native applications, but it introduces meaningful risk to developer workstations and CI environments when Metro is accessible beyond localhost.

This post explains what the flaw is, when environments are actually at risk, how attackers abuse it, and what defenders should do immediately.

What Is CVE-2025-11953?

CVE-2025-11953 (CVSS 9.8) affects the Metro development server used by React Native tooling. The issue is network-reachable and does not require authentication when the service can be accessed by an attacker.

The vulnerable behavior involves a Metro POST handler (/open-url) that processes attacker-supplied input in a way that can reach operating system execution paths. Improper handling of this input results in an OS command injection condition consistent with CWE-78. In exposed environments, this can lead to remote code execution with the privileges of the user running Metro.

Details of CVE-2025-11953 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-11953 (SOCRadar Vulnerability Intelligence)

Which React Native Components & Versions Are Affected?

The vulnerability impacts the following package:

  • @react-native-community/cli-server-api

Reported affected versions span a wide range of releases, including versions from 4.8.0 through 20.0.0-alpha.2, depending on how the dependency is resolved within the React Native CLI ecosystem.

Fixed Versions

Patches have been released across maintained branches, including:

  • 18.0.1
  • 19.1.2
  • 20.0.0 and later

Defenders should confirm which version of the server component is actually in use, as it may be pulled in through nested dependencies or global CLI installations rather than appearing directly in a project’s package manifest.

When Are You Actually Exposed to Exploitation?

Possessing a vulnerable dependency alone does not guarantee exposure. Risk emerges when the following conditions are met:

  • The Metro server is actively running (for example, via npm start or npx react-native start)
  • Metro is reachable from outside the local host
  • Network controls do not restrict inbound access to the Metro port

This makes the issue especially relevant for:

  • Developer laptops operating on shared or untrusted networks
  • CI runners or build agents where Metro is started during workflows
  • Development or test hosts where Metro listens on non-local interfaces and network access is not constrained

How Does CVE-2025-11953 Work in Real Attacks?

In real-world scenarios, attackers who can reach an exposed Metro instance can send a crafted, unauthenticated POST request to the /open-url endpoint. Carefully constructed input allows execution to cross from application logic into operating system commands.

How Does Exploitation Differ on Windows, macOS & Linux?

The impact of exploitation varies slightly by platform:

  • Windows: attackers can achieve arbitrary shell command execution with attacker-controlled arguments.
  • macOS/Linux: attackers can execute arbitrary executables, with more limited parameter control, but still enough to be dangerous in realistic scenarios.

Because the request is unauthenticated and the service is developer-facing, attackers often focus on exposed endpoints where defenders may not have strong monitoring or segmentation.

Is There Active Exploitation in the Wild?

Yes. CVE-2025-11953 has been observed under active exploitation.

VulnCheck reported exploitation activity via its Canary network beginning on December 21, 2025, with additional observations on January 4 and January 21, 2026, indicating sustained attacker interest.

This activity marks a shift from earlier reporting in November 2025, when no confirmed exploitation had been identified.

How SOCRadar Helps Teams Track & Respond to Actively Exploited Vulnerabilities

Incidents like CVE-2025-11953 highlight how quickly developer-focused vulnerabilities can shift from advisory-level issues to active attack vectors, often before organizations realize they are exposed.

SOCRadar’s Cyber Threat Intelligence helps security teams stay ahead of this shift by continuously monitoring newly disclosed vulnerabilities, exploit availability, and in-the-wild activity. Rather than relying solely on CVSS scores, teams gain context on whether a flaw is being actively weaponized, which environments are typically targeted, and how threat activity evolves over time.

SOCRadar’s Vulnerability Intelligence

SOCRadar’s Vulnerability Intelligence

By combining real-time exploit intelligence with Attack Surface Management (ASM), SOCRadar enables defenders to prioritize remediation for vulnerabilities that pose immediate risk – especially those affecting development infrastructure, CI pipelines, and other non-production systems that are often overlooked.

What Should Defenders Do Now to Reduce Risk?

Patch First: Upgrade to a Fixed Version

The preferred remediation is to upgrade:

  • @react-native-community/cli-server-api to >= 20.0.0, ensuring your CLI actually pulls the fixed server component.

Validate in both places:

  • Project dependency tree: npm list @react-native-community/cli-server-api
  • Global installs: npm list -g @react-native-community/cli-server-api

Harden Exposure Even After Patching

Patching reduces the immediate vulnerability, but Metro exposure remains a risk pattern. Recommended hardening includes:

  • Bind Metro to localhost explicitly using –host 127.0.0.1
  • Add host firewall rules to block inbound access to the Metro port from untrusted networks
  • Avoid running Metro on internet-accessible machines, especially shared dev hosts and build infrastructure

Hunt for High-Signal Indicators

Detection opportunities with good signal-to-noise include:

  • Web telemetry showing unauthenticated POST requests to /open-url against developer endpoints and build agents
  • On Windows, suspicious PowerShell encoded commands and behavior consistent with attempts to weaken Microsoft Defender protections (such as adding exclusions) prior to payload retrieval and execution

If you can answer two scoping questions, you can prioritize faster: (1) where Metro runs (laptops vs CI), and (2) whether those Metro instances are reachable from other subnets or VPN segments.

Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About Claude Fable 5?
What Do You Need to Know About Claude Fable 5?
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
Jun 09, 2026
Free Dark Web Report
Is your Domain Exposed? Find Out.