CVE-2025-11953

What is React Native CLI and Metro?

React Native is Meta's framework for building mobile applications using JavaScript/TypeScript that run natively on iOS and Android. The @react-native-community/cli package provides the command-line interface for React Native development, including the Metro bundler — a development server that bundles JavaScript code for device/simulator testing. Metro runs as an HTTP server (default port 8081) and by default binds to all network interfaces (0.0.0.0), not just localhost. During development, Metro is intentionally internet-accessible in some setups. The React Native CLI has approximately 2.5 million weekly npm downloads.

Overview

CVE-2025-11953 (nicknamed Metro4Shell by SOCRadar) is a critical OS command injection vulnerability (CWE-78, CVSS 9.8) in the React Native Community CLI's Metro development server. The /open-url POST endpoint accepts a URL parameter that is passed directly to the npm open package, which invokes a system shell command without sanitization. An unauthenticated attacker can send a crafted POST request to /open-url and execute arbitrary OS commands on the host running Metro — on Windows, arbitrary shell commands with fully controlled arguments are also possible. Because Metro binds to all network interfaces by default, it may be reachable from the network or internet in development and CI/CD environments. CISA added the CVE to the KEV catalog in February 2026 after VulnCheck documented active exploitation campaigns beginning December 2025.

Affected Versions

Technical Details

The vulnerability (CWE-78: OS Command Injection) is in Metro's /open-url HTTP endpoint, part of the @react-native-community/cli-server-api package. When a POST request is received at /open-url, the url parameter from the request body is passed directly to the open() function from the npm open package without validation or sanitization. The open package invokes a system shell command to "open" the URL using the platform's default handler:

• Linux/macOS: xdg-open <url> or open <url> — shell metacharacters in the URL enable command injection
• Windows: Invokes cmd.exe /c start <url> — the start command with shell-interpreted arguments allows arbitrary shell command execution with fully controlled arguments

Key exposure factor: Metro binds to 0.0.0.0 by default — all network interfaces — meaning it is accessible from any host on the local network, and potentially from the internet if not firewalled. Production deployments, CI/CD pipelines, cloud development environments, and developer machines without firewall restrictions are all potentially vulnerable.

Mitigation without patching: Start Metro with --host 127.0.0.1 to bind only to localhost: npx react-native start --host 127.0.0.1

Discovery

Discovered by JFrog Security Research, who disclosed in early November 2025.

Exploitation Context

VulnCheck's Canary network detected active exploitation beginning December 21, 2025 — approximately 7 weeks after CVE publication. Three exploitation waves were observed (Dec 21, Jan 4, Jan 21). Attackers deployed multi-stage attack chains:

1. POST to /open-url with injected command
2. Execute multi-stage PowerShell loader via cmd.exe
3. Disable Microsoft Defender before payload retrieval
4. Fetch and execute a Rust-based binary with anti-analysis features

Attack infrastructure:

• C2 source IPs: 65.109.182.231, 223.6.249.141, 134.209.69.155
• Payload hosting: 8.218.43.248:60124, 47.86.33.195:60130

CISA added CVE-2025-11953 to the KEV catalog on February 5, 2026 — approximately 3 months after CVE publication. The delay reflects that CISA's catalog primarily tracks exploitation against government-relevant infrastructure; VulnCheck's January 2026 exploitation data likely triggered the KEV addition. The vulnerability is particularly impactful because Metro is present in virtually every React Native development environment and CI/CD pipeline, and developers rarely consider their local/CI development servers as attack surfaces requiring security updates.

Remediation

1. Upgrade @react-native-community/cli to v20.0.2 or later: npm install --save-dev @react-native-community/cli@latest or yarn add --dev @react-native-community/cli@latest.
2. Immediately apply network binding mitigation: add --host 127.0.0.1 to all Metro start commands to prevent exposure beyond localhost: npx react-native start --host 127.0.0.1. Add this to package.json scripts.
3. Firewall Metro's port (default 8081) at the OS and network level to deny external access — Metro should never be reachable from untrusted networks.
4. Audit CI/CD pipelines: if React Native builds run in CI/CD environments (GitHub Actions, Jenkins, etc.), ensure Metro is not running with network-accessible bindings during pipeline execution.
5. Block attacker infrastructure in network egress rules: 8.218.43.248, 47.86.33.195, 65.109.182.231, 223.6.249.141, 134.209.69.155.
6. Do not run Metro in production: Metro is a development bundler and should never be deployed to production servers. If you see Metro processes on production hosts, treat it as an incident.