Security News Critical React Native Vulnerability Exploited in the Wild

[Miravi]

Content source

https://www.securityweek.com/critical-react-native-vulnerability-exploited-in-the-wild/

Threat actors have been exploiting a critical-severity React Native vulnerability in attacks since late December, VulnCheck warns.

Tracked as CVE-2025-11953 (CVSS score of 9.8) and disclosed in early November, the bug impacts the highly popular React Native Community CLI NPM package (@react-native-community/cli), which has roughly two million weekly downloads.

It is part of the React Native Community CLI project, which was extracted from the open source framework for improved maintainability, and provides a set of command-line tools for app building.

While CVE-2025-11953 and other vulnerabilities impacting development servers are typically exploitable only from the developer’s local machine, a second issue in React Native exposes the servers to external attackers, software supply chain security firm JFrog warned in November.

Now, VulnCheck mirrors the warning after observing in-the-wild exploitation of the CVE, despite limited public attention.

“As of late January, public discussion largely frames CVE-2025-11953 as a theoretical risk rather than an active intrusion vector. This disconnect is where defenders are most likely to be caught unprepared,” VulnCheck notes in a fresh report.

The vulnerability intelligence firm, which has named the bug Metro4Shell, observed initial exploitation attempts on December 21, followed by more activity on January 4 and 21, suggesting continuous operational use. Thousands of internet-accessible React Native instances could be at risk.

Critical React Native Vulnerability Exploited in the Wild

Threat actors are exploiting the Metro4Shell React Native vulnerability to deploy malware on Linux and Windows systems.

www.securityweek.com

 

[Halp2001]

It’s a bit like leaving a window open in winter: even if it seems no cold air is coming in, the moment someone peeks through, the draft starts flowing through the whole house .

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1190 (Exploit Public-Facing Application) Attackers target exposed Metro bundler ports (typically 8081).

T1059 (Command and Scripting Interpreter) Exploitation involves sending simple POST requests to execute remote OS commands.

T1562.001 (Impair Defenses)
The attack chain specifically attempts to "disable Microsoft Defender protections" before payload retrieval.

CVE Profile

ID
CVE-2025-11953 (Metro4Shell)

CVSS
9.8 (Critical)

Affected Component
@react-native-community/cli (Metro JavaScript bundler)

Status
Active Exploitation observed since late December 2025.

Live Evidence Extraction

Attack Vector
The Metro bundler, used during development and testing, binds to external interfaces (0.0.0.0) rather than localhost, exposing it to the public internet.

Payload Indicators

Loader
A multi-stage PowerShell script.

Network
Raw TCP connections established to the attacker's host.

Final Payload
Rust-based malware with anti-analysis logic.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Network Isolation
Immediately block ingress traffic to port 8081 (default Metro port) and other high-range development ports at the perimeter firewall.

Asset Discovery
Scan your external attack surface for exposed React Native development servers.

Blast Radius
Assume any internet-facing development machine running the vulnerable CLI is compromised. Isolate these hosts from the production VLAN immediately.

Phase 2: Eradication

Patching
Upgrade the @react-native-community/cli NPM package to the latest secure version immediately.

Process Termination
On suspected hosts, search for and terminate suspicious PowerShell or Rust-based processes.

Defense Restoration
Verify that Microsoft Defender or your EDR solution has not been disabled or tampered with.

Phase 3: Recovery

Re-imaging
Due to the potential for persistence and defense evasion (disabling Defender), re-imaging compromised development workstations is the only safe recovery method.

Credential Rotation
Rotate all secrets (API keys, cloud credentials) present on the compromised development machines.

Phase 4: Lessons Learned

Policy Enforcement
Enforce configuration policies that restrict development tools to bind only to localhost (127.0.0.1).

Detection Engineering
Create SIEM rules to detect external POST requests to port 8081 and PowerShell commands attempting to modify Defender preferences.

Remediation - THE HOME USER / FREELANCE DEV TRACK

Priority 1: Safety (Configuration)

Update Immediately
Run npm update or yarn upgrade in your project directories to ensure you are using the patched version of the CLI.

Check Firewall
Ensure your computer's firewall (Windows Firewall or macOS Firewall) is ON and configured to block incoming connections to your development ports from the public internet.

Priority 2: Scan & Clean

Defender Check
The malware attempts to disable Microsoft Defender. Open Windows Security and confirm "Real-time protection" is active. If it is off and you didn't turn it off, you are likely infected.

Offline Scan
Run a "Microsoft Defender Offline scan" to detect deep-seated malware that might hide while Windows is running.

Priority 3: Persistence

Review Startup Items
Check Task Manager (Startup tab) for suspicious scripts or unknown applications, specifically looking for PowerShell scripts.

Hardening & References

Baseline
CIS Benchmarks for Application Security (Development Environment Hardening).

Supply Chain
NIST SP 800-161 (Cybersecurity Supply Chain Risk Management).

Source

VulnCheck Research Report

JFrog Security Analysis (Original Disclosure)

NVD (National Vulnerability Database)

SecurityWeek Article

Supply Chain Reference

NPM Advisory
(GitHub)

Component
@react-native-community/cli

Remediation
Update to the latest version immediately to ensure the Metro bundler does not bind to 0.0.0.0 by default.