Critical React Native Vulnerability Exploited in the Wild

React Native’s popularity has made its tooling a high‑value target for attackers, and the Metro bundler sits at the heart of the development workflow. By default, Metro can listen on all network interfaces, a convenience that inadvertently exposes the server to the public internet. When combined with the CVE‑2025‑11953 flaw, this configuration creates a thin bridge from a developer’s machine to production environments, turning a benign build tool into a remote code execution platform. The vulnerability’s high CVSS score reflects both its ease of exploitation and the breadth of potential impact across the millions of apps that rely on the @react-native-community/cli package.

VulnCheck’s investigation reveals a sophisticated, multi‑stage attack chain. Initial POST requests trigger a PowerShell loader that first disables Microsoft Defender, signaling that threat actors anticipate robust endpoint protection. The loader then opens a raw TCP connection to retrieve a Rust‑compiled payload, which includes anti‑analysis techniques and can run on both Windows and Linux hosts. This approach demonstrates a clear evolution from proof‑of‑concept exploits to operational campaigns, leveraging the development server’s exposure to infiltrate downstream environments and potentially exfiltrate data or install persistent backdoors.

The emergence of Metro4Shell underscores the urgency for organizations to harden their development pipelines. Immediate steps include restricting Metro to localhost bindings, applying the latest patches from the React Native Community CLI, and integrating runtime application self‑protection (RASP) to detect anomalous POST traffic. Security teams should also monitor for the characteristic PowerShell loader patterns and Rust payload signatures. As supply‑chain attacks continue to rise, treating development infrastructure as production‑grade assets is no longer optional; it is a prerequisite for maintaining trust in modern mobile and web applications.