Critical OS command injection vulnerability in React Native Metro Development Server that binds to external interfaces by default. Allows unauthenticated remote attackers to execute arbitrary commands via HTTP POST requests.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-11-03
Added to CISA KEV: 2026-02-05 94 DAYS BETWEEN CVE AND KEV
The Metro Development Server, which is opened by the React Native CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments.
Tracked as CVE-2025-11953 and also referred to as Metro4Shell, the vulnerability allows unauthenticated operating system command execution under specific exposure conditions. The issue does not directly impact production React Native applications, but it introduces meaningful risk to developer workstations and CI environments when Metro is accessible beyond localhost.
The vulnerability, tracked as CVE-2025-11953 and nicknamed βMetro4Shell,β allows unauthenticated attackers to execute arbitrary operating system commands on developer machines by sending specially crafted HTTP requests.This represents a critical concern: active exploitation began in December 2025, yet the Exploit Prediction Scoring System (EPSS) assigns only a 0.00405 probability score as of late January 2026, a dangerous disconnect between theoretical risk models and real-world threat activity.
This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, the attackers can also execute arbitrary shell commands with fully controlled arguments. New CVE Received from JFrog 11/03/2025 12:15:32 PM.Reference. https://jfrog.com/blog/cve-2025-11953-critical-react-native-community-cli-vulnerability.
VulnCheck observed exploitation of CVE-2025-11953 on December 21, 2025, when our Canary network recorded exploitation of a Metro Development Server. The vulnerability, which we jokingly refer to as Metro4Shell, was automatically added to VulnCheck KEV the same day.VulnCheck customers had visibility into exploitation of this vulnerability in November through exploits and Suricata rules developed by the VulnCheck Initial Access Intelligence team.