CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

React Native CLI Remote Code Execution Vulnerability (CVE-2025-11953)

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

A critical security flaw in the React Native CLI package, tracked as CVE-2025-11953, allowed remote, unauthenticated attackers to execute arbitrary OS commands on development servers. The vulnerability affected versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package, impacting millions of developers using the React Native framework. The flaw was patched in version 20.0.0. The vulnerability is being actively exploited in the wild, with attacks observed on December 21, 2025, January 4, 2026, and January 21, 2026. The attacks involve delivering base-64 encoded PowerShell payloads hidden in the HTTP POST body of malicious requests. The payloads disable endpoint protections, establish a raw TCP connection to attacker-controlled infrastructure, write data to disk, and execute the downloaded binary. Approximately 3,500 exposed React Native Metro servers are still online, according to scans using the ZoomEye search engine. Despite active exploitation being observed for over a month, the vulnerability still carries a low score in the Exploit Prediction Scoring System (EPSS). The vulnerability affects Windows, Linux, and macOS systems, with varying levels of control over executed commands. The flaw was discovered by researchers at JFrog and disclosed in early November 2025. The vulnerability is dubbed Metro4Shell by VulnCheck. The Windows payload is a Rust-based UPX-packed binary with basic anti-analysis logic, and the same attacker infrastructure hosts corresponding Linux binaries, indicating cross-platform targeting.

Timeline

  1. 03.02.2026 16:00 2 articles · 11h ago

    Active Exploitation of CVE-2025-11953 in the Wild

    Hackers are actively exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native. Attacks were observed on December 21, 2025, January 4, 2026, and January 21, 2026. The attacks involve delivering base-64 encoded PowerShell payloads hidden in the HTTP POST body of malicious requests. The payloads disable endpoint protections, establish a raw TCP connection to attacker-controlled infrastructure, write data to disk, and execute the downloaded binary. The Windows payload is a Rust-based UPX-packed binary with basic anti-analysis logic, and the same attacker infrastructure hosts corresponding Linux binaries, indicating cross-platform targeting. Approximately 3,500 exposed React Native Metro servers are still online, according to scans using the ZoomEye search engine. Despite active exploitation being observed for over a month, the vulnerability still carries a low score in the Exploit Prediction Scoring System (EPSS).

    Show sources
    Open in new tab
  2. 04.11.2025 16:24 3 articles · 3mo ago

    Critical React Native CLI Vulnerability Patched in Version 20.0.0

    A critical security flaw in the React Native CLI package, tracked as CVE-2025-11953, was discovered and patched in version 20.0.0. The vulnerability allowed remote, unauthenticated attackers to execute arbitrary OS commands on development servers. The flaw was due to the Metro development server binding to external interfaces and exposing an '/open-url' endpoint susceptible to OS command injection. The affected packages are @react-native-community/cli and @react-native-community/cli-server-api, versions 4.8.0 through 20.0.0-alpha.2. The flaw was discovered by researchers at JFrog and disclosed in early November 2025.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical sandbox escape flaw in vm2 NodeJS library

A critical-severity vulnerability (CVE-2026-22709) in the vm2 Node.js sandbox library allows escaping the sandbox and executing arbitrary code on the host system. The flaw arises from improper sanitization of Promises, enabling attackers to bypass sandbox restrictions. The vulnerability affects versions prior to 3.10.2 and has been partially addressed in subsequent updates. The vm2 library, widely used in SaaS platforms and open-source projects, was discontinued in 2023 due to repeated sandbox-escape vulnerabilities but was resurrected in 2025. The vulnerability is trivial to exploit, and users are advised to upgrade to the latest version (3.10.3) to mitigate the risk. The vulnerability carries a CVSS score of 9.8 out of 10.0, highlighting its criticality. The maintainer has acknowledged that new bypasses will likely be discovered in the future, urging users to keep the library up to date and consider alternatives like isolated-vm for stronger isolation guarantees.

Open in new tab

Unauthenticated Privilege Escalation in WordPress Modular DS Plugin Exploited in the Wild

A critical vulnerability (CVE-2026-23550, CVSS 10.0) in the WordPress Modular DS plugin, affecting versions up to 2.5.1, is being actively exploited to gain admin access. The flaw allows unauthenticated attackers to bypass authentication and escalate privileges, potentially leading to full site compromise. The issue stems from a combination of design choices, including permissive direct request handling and weak authentication mechanisms. The vulnerability was patched in version 2.5.2, and attacks were first detected on January 13, 2026, originating from specific IP addresses. The Modular DS plugin has over 40,000 installations. Users are urged to update immediately to mitigate the risk.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

Multiple Critical n8n Workflow Automation Vulnerabilities (CVE-2025-68613, CVE-2025-68668, CVE-2026-21877, CVE-2026-21858)

Multiple critical vulnerabilities have been disclosed in the n8n workflow automation platform. The most recent flaws, tracked as CVE-2026-1470 (CVSS 9.9) and CVE-2026-0863 (CVSS 8.5), allow authenticated users to bypass sandbox mechanisms and achieve remote code execution. These vulnerabilities affect various versions of n8n and have been patched in the latest versions. Additionally, three other critical vulnerabilities (CVE-2025-68613, CVE-2025-68668, and CVE-2026-21877) have been disclosed, affecting various versions of n8n. Over 103,000 instances are potentially vulnerable, with a significant number located in the U.S., Germany, France, Brazil, and Singapore. Users are advised to upgrade to the latest patched versions or implement mitigations such as disabling the Git node and limiting access for untrusted users. The Ni8mare vulnerability (CVE-2026-21858) affects over 100,000 servers potentially exposed. The vulnerability could enable attackers to access API credentials, OAuth tokens, database connections, and cloud storage. The vulnerability is related to the webhooks that start workflows in n8n. The platform parses incoming data based on the 'content-type' header in a webhook. When a request is 'multipart/form-data', the platform uses a special file upload parser (Formidable) which stores the files in temporary locations. For all other content types, a regular parser is used. The file upload parser wraps Formidable's parse() function, populating req.body.files with the output from Formidable. If a threat actor changes the content type to something like application/json, the n8n middleware would call the regular parser instead of the special file upload parser. This means req.body.files wouldn't be populated, allowing attackers to control the file metadata and file path. The vulnerability was reported on November 9 and fixed nine days later. Over 105,753 unpatched instances of n8n were found exposed online, with 59,558 still exposed on Sunday. More than 28,000 IPs were found in the United States and over 21,000 in Europe. n8n is widely used in AI development to automate data ingestion and build AI agents and RAG pipelines. Two vulnerabilities in the n8n workflow automation platform, identified as CVE-2026-1470 and CVE-2026-0863, were discovered by researchers at DevSecOps company JFrog. CVE-2026-1470 is an AST sandbox escape caused by improper handling of the JavaScript with statement, allowing arbitrary JavaScript execution and full RCE on the main n8n node. CVE-2026-0863 is a Python AST sandbox escape that combines format-string-based object introspection with Python 3.10+ AttributeError.obj behavior to regain access to restricted builtins and imports, allowing execution of OS commands and full RCE when Python runs as a subprocess on the main n8n node. These vulnerabilities highlight the difficulty in safely sandboxing dynamic, high-level languages such as JavaScript and Python. CVE-2026-1470 was fixed in versions 1.123.17, 2.4.5, and 2.5.1, while CVE-2026-0863 was addressed in n8n versions 1.123.14, 2.3.5, 2.4.2. Users are recommended to upgrade to the latest versions as soon as possible.

Open in new tab

Multiple Critical Vulnerabilities Exploited in Popular Software

Multiple critical vulnerabilities in widely used software, including Apple products, .NET applications, WinRAR, and React, are being actively exploited by threat actors. These flaws allow for arbitrary code execution, remote code execution (RCE), and other malicious activities. The vulnerabilities affect a broad range of users and systems, necessitating immediate updates and patches. The exploits target various vectors, including memory corruption, path traversal, and design flaws in cryptographic keys. The affected software includes Apple's iOS, iPadOS, macOS, Safari, .NET applications, WinRAR, and React. The impact of these vulnerabilities is significant, as they enable attackers to execute arbitrary code, gain unauthorized access, and compromise sensitive data. The urgency of these updates is underscored by the active exploitation of these flaws, with some attacks occurring before fixes were available. Users are advised to install the necessary updates promptly to mitigate the risks.

Open in new tab