Hackers Exploit Critical React Native Metro Vulnerability (CVE-2025-11953) for Cross-Platform Attacks Hackers are actively exploiting CVE-2025-11953, a critical vulnerability in the Metro server for React Native, to deliver malicious payloads targeting Windows and Linux systems. The flaw, discovered by JFrog in early November 2025, allows unauthenticated attackers to execute arbitrary OS commands via a crafted POST request to the `/open-url` endpoint. Metro, the default JavaScript bundler for React Native, is widely used in development environments. The vulnerability stems from unsanitized user-supplied URLs passed to the `open()` function, affecting @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2. A patch was released in version 20.0.0. Exploitation Timeline & Impact VulnCheck first observed attacks on December 21, 2025, with follow-up activity on January 4 and 21, 2025. Dubbed Metro4Shell, the campaign delivers base-64 encoded PowerShell payloads that: - Disable Microsoft Defender protections by adding exclusion paths. - Establish a raw TCP connection to attacker-controlled infrastructure. - Download and execute a Rust-based UPX-packed binary with anti-analysis features. The same infrastructure hosts payloads for both Windows and Linux, confirming cross-platform targeting. Scans via ZoomEye identified ~3,500 exposed Metro servers online. Despite active exploitation, the vulnerability remains low-scoring in the Exploit Prediction Scoring System (EPSS), highlighting a gap in risk prioritization. VulnCheck’s report includes indicators of compromise (IoCs) for the attacker’s infrastructure and payloads.