Hackers are targeting developers by exploiting the critical vulnerability CVE-2025-11953 in the Metro server for React Native to deliver malicious payloads for Windows and Linux.

On Windows, an unauthenticated attacker can leverage the security issue to execute arbitrary OS commands via a POST request. On Linux and macOS, the vulnerability can lead to running arbitrary executables with limited parameter control.

Metro is the default JavaScript bundler for React Native projects, and it is essential for building and running applications in the development stage.

By default, Metro can bind to external network interfaces and expose development-only HTTP endpoints (/open-url) for local use during development.

Researchers at software supply-chain security company JFrog discovered the flaw and disclosed it in early November. After the public disclosure, multiple proof-of-concept exploits emerged.

In a post at the time, they said that the issue was the /open-url HTTP endpoint accepting POST requests containing a user-supplied URL value that could be passed unsanitized to the ‘open()’ function.

The flaw affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2, and was fixed in version 20.0.0 and later.

On December 21, 2025, vulnerability intelligence company VulnCheck observed a threat actor exploiting CVE-2025-11953, dubbed Metro4Shell. The activity continued to deliver the same payloads on January 4th and 21st.

“Exploitation has delivered advanced payloads on both Linux and Windows, demonstrating that Metro4Shell provides a practical, cross-platform initial access mechanism” - VulnCheck

In all three attacks, the researchers observed the delivery of the same base-64 encoded PowerShell payloads hidden in the HTTP POST body of the malicious requests reaching exposed endpoints.

Once decoded and launched, the payloads perform the following actions:

1. Disable endpoint protections by adding Microsoft Defender exclusion paths for both the current working directory and the system temporary directory using Add-MpPreference.
2. Establish a raw TCP connection to attacker-controlled infrastructure and issue a GET /windows request to retrieve the next-stage payload.
3. Write the received data to disk as an executable file in the system’s temporary directory.
4. Execute the downloaded binary with a large, attacker-supplied argument string.

The Windows payload retrieved in these attacks is a Rust-based UPX-packed binary with basic anti-analysis logic. The same infrastructure hosted a corresponding “linux” binary, indicating that the attacks cover both platforms.

There are approximately 3,500 exposed React Native Metro servers exposed online, according to scans using the ZoomEye search engine for connected devices, services, and web applications.

Despite active exploitation being observed for over a month, the vulnerability still carries a low score in the Exploit Prediction Scoring System (EPSS), a risk assessment framework that estimates the likelihood of exploitation for a security issue.

"Organizations cannot afford to wait for CISA KEV inclusion, vendor reports, or broad consensus before taking action," the researchers say.

VulnCheck's report includes indicators of compromise (IoCs) for the attacker network infrastructure as well as Windows and Linux payloads.