Metro server for React Native command execution flaw (CVE-2025-11953, actively exploited)
Vulnerability
Summary
Hide ▲
Show ▼
The Metro server for React Native flaw CVE-2025-11953 is being actively exploited, exposing development servers to command execution and malicious payload delivery. The bug affects @react-native-community/cli-server-api 4.8.0 through 20.0.0-alpha.2 and was fixed in 20.0.0 and later. Observed attacks hit exposed endpoints on Windows and Linux with base-64 encoded PowerShell payloads.
Related Happenings
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation Wave
First: 20.02.2026 23:07
Last: 20.02.2026 23:07
Sources 1
About this happening:
**CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React2Shell (CVE-2025-55182) mass scanning and exploitation wave
Exploitation WaveAbout this happening: **CVE-2025-55182 (React2Shell)** is being **actively exploited** across **React Server Components (RSC)** and **Next.js** environments, with reports now adding a **ransomware gang...
React Native Metro servers Metro4Shell exploitation wave (CVE-2025-11953)
Exploitation Wave
First: 03.02.2026 16:00
Last: 03.02.2026 16:00
Sources 1
How related:
On December 21, 2025, vulnerability intelligence company VulnCheck observed a threat actor exploiting CVE-2025-11953, dubbed Metro4Shell.
About this happening:
Repeated exploitation of **CVE-2025-11953** is hitting exposed **React Native Metro servers**, creating remote command and payload-delivery risk across a large development-systems...
React Native Metro servers Metro4Shell exploitation wave (CVE-2025-11953)
Exploitation WaveHow related: On December 21, 2025, vulnerability intelligence company VulnCheck observed a threat actor exploiting CVE-2025-11953, dubbed Metro4Shell.
About this happening: Repeated exploitation of **CVE-2025-11953** is hitting exposed **React Native Metro servers**, creating remote command and payload-delivery risk across a large development-systems...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation Wave
First: 16.01.2026 11:15
Last: 16.01.2026 11:15
Sources 1
About this happening:
**RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation WaveAbout this happening: **RondoDox** has driven a **large-scale exploitation wave** against **HPE OneView** by targeting **CVE-2025-37164**, with activity escalating into **automated attacks** that creat...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware Activity
First: 06.01.2026 14:13
Last: 06.01.2026 14:13
Sources 1
About this happening:
**SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware ActivityAbout this happening: **SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
GlassWorm malware wave targets macOS developers via malicious extensions
Malware Activity
First: 01.01.2026 17:18
Last: 01.01.2026 17:18
Sources 1
About this happening:
**Chinese-speaking threat actors** used a **compromised SonicWall VPN appliance** in **December 2025** to deliver a **VMware ESXi** exploit toolkit that Huntress says likely chain...
GlassWorm malware wave targets macOS developers via malicious extensions
Malware ActivityAbout this happening: **Chinese-speaking threat actors** used a **compromised SonicWall VPN appliance** in **December 2025** to deliver a **VMware ESXi** exploit toolkit that Huntress says likely chain...
Latest development: 08.01.2026 23:27
Huntress analyzed December 2025 attacks against VMware ESXi environments in which a compromised SonicWall VPN appliance provided initial access, a compromised Domain Admin account was used to pivot via RDP to domain controllers, and the toolkit deployed MAESTRO (exploit.exe), MyDriver.sys, VSOCKpuppet, and GetShell Plugin (client.exe). Huntress also noted build paths containing simplified Chinese and an English-language README, suggesting a well-resourced developer operating in a Chinese-speaking region.
Timeline
-
03.02.2026 16:00 2 articles · 3mo ago
Metro server for React Native command execution flaw (CVE-2025-11953, actively exploited)
Initial DisclosureResearchers disclosed **CVE-2025-11953** in early November after finding that the **/open-url** endpoint accepted a POSTed URL value that could reach `open()` unsanitized. The affected **@react-native-community/cli-server-api** builds were **4.8.0 through 20.0.0-alpha.2**, with a fix in **20.0.0 and later**.
Show sources
- Hackers exploit critical React Native Metro bug to breach dev systems — www.bleepingcomputer.com — 03.02.2026 16:00
- Critical React Native CLI Flaw Exposed Millions of Developers to Remote Attacks — thehackernews.com — 04.11.2025 16:24
-
03.02.2026 16:00 1 articles · 3mo ago
First observed exploitation of CVE-2025-11953 in Metro Development Server
Exploitation ObservedThreat actors exploited CVE-2025-11953 (Metro4Shell) in the Metro Development Server of the @react-native-community/cli npm package on December 21, 2025, enabling remote unauthenticated command execution and payload delivery.
Show sources
- Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package — thehackernews.com — 03.02.2026 16:00