Hackers Exploit Critical React Native Metro Bug to Breach Dev Systems

React Native’s Metro bundler is the backbone of mobile app development, serving JavaScript bundles to emulators and devices during the build process. Because Metro runs a lightweight HTTP server by default, many developers leave it bound to external interfaces for convenience, unintentionally exposing the /open‑url endpoint to the internet. This exposure creates a soft target where attackers can inject malicious URLs, turning a development convenience into a remote code execution vector that bypasses traditional perimeter defenses.

The CVE‑2025‑11953 flaw leverages the unsanitized handling of POST data in the /open‑url route, allowing an attacker to invoke the system’s open() function with arbitrary arguments. On Windows, the exploit drops a Base‑64‑encoded PowerShell payload that disables Defender, contacts a command‑and‑control server, and runs a packed Rust binary. Linux and macOS victims receive analogous executables with limited parameter control. The cross‑platform nature of Metro4Shell means a single exploit chain can compromise heterogeneous development labs, potentially stealing source code, injecting malicious libraries, or pivoting into production environments.

Mitigation requires a two‑pronged approach: patch Metro to version 20.0.0 or later and reconfigure the bundler to bind only to localhost or use VPN‑restricted access. Organizations should also audit network exposure, rotate credentials, and monitor for the specific IoCs disclosed by VulnCheck. This incident underscores the growing risk of supply‑chain attacks originating from development tooling, prompting security teams to treat dev servers with the same rigor as production assets. Early detection and swift remediation are now critical to safeguard the mobile app ecosystem.