🔴 CVE-2025-11953

Critical OS command injection vulnerability in React Native Metro Development Server that binds to external interfaces by default. Allows unauthenticated remote attackers to execute arbitrary commands via HTTP POST requests.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-11-03

Added to CISA KEV: 2026-02-05 94 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-02-05)

CVE-2025-11953, also known as "Metro4Shell," is a critical OS command injection vulnerability affecting the Metro Development Server used by the React Native Community CLI [4][7].

Here's what is known about its exploitation:

  • Internet-Facing Applications/Services: The vulnerability primarily impacts developer workstations and CI environments when the Metro development server is accessible beyond `localhost` [2]. By default, the Metro Development Server binds to external interfaces, making it a potential target [1][7]. It does not directly affect production React Native applications [2].
  • Evidence of Active Exploitation: Yes, there is clear evidence of active exploitation in the wild. Exploitation was observed as early as late December 2025 [5][8]. VulnCheck reported observing exploitation on their Canary network on December 21, 2025 [5]. This exploitation occurred before widespread public acknowledgment [3][11].
  • Attack Vectors and Exploitation Methods: The vulnerability allows unauthenticated network attackers to execute arbitrary operating system commands [2][4]. Attackers can achieve this by sending a crafted POST request to the vulnerable server [1][4]. On Windows systems, attackers can also execute arbitrary shell commands with fully controlled arguments [1][4].
  • Use in Targeted Attacks: While specific details about targeted attacks are not extensively detailed, the exploitation of this vulnerability by threat actors to deploy malware targeting software developers worldwide has been reported [3]. The active exploitation in the wild suggests it is being used in real-world attacks [5][8].
  • CISA Known Exploited Vulnerabilities (KEV) Status: CVE-2025-11953 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog [5][9]. This addition was based on evidence of active exploitation [9].
  • Technical Details about Internet Exploitability: The Metro Development Server, when not properly configured to bind only to `localhost`, exposes an endpoint vulnerable to OS command injection [1]. This allows remote attackers to run arbitrary executables or shell commands by sending specially crafted HTTP requests [1][4]. The vulnerability is described as a critical RCE (Remote Code Execution) flaw [10][12].
To mitigate CVE-2025-11953, it is recommended to update `@react-native-community/cli-server-api` to version 20.0.0 or higher, or to explicitly bind the development server to the `localhost` interface using the `--host 127.0.0.1` flag [6].

Sources

  1. react-native-community/cli has arbitrary OS command injection...

    The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables.

  2. CVE-2025-11953 (Metro4Shell) in React Native Metro ...

    Tracked as CVE-2025-11953 and also referred to as Metro4Shell, the vulnerability allows unauthenticated operating system command execution under specific exposure conditions. The issue does not directly impact production React Native applications, but it introduces meaningful risk to developer works…

  3. Hackers Actively Exploit React Native Metro Server Flaw to Target ...

    The vulnerability, tracked as CVE-2025-11953 and nicknamed “Metro4Shell,” allows unauthenticated attackers to execute arbitrary operating system commands on developer machines by sending specially crafted HTTP requests.This represents a critical concern: active exploitation began in December 2025, y…

  4. Metro4Shell: Exploitation of React Native's Metro Server in ...

    VulnCheck observed exploitation of CVE-2025-11953 on December 21, 2025, when our Canary network recorded exploitation of a Metro Development Server. The vulnerability, which we jokingly refer to as Metro4Shell, was automatically added to VulnCheck KEV the same day.VulnCheck customers had visibility…

  5. NVD - CVE-2025-11953

    This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments. New CVE Received from JFrog 11/03/2025 12:15:32 PM.Reference. https://jfrog.com/blog/…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed