A critical remote code execution (RCE) vulnerability in the React Native Community CLI, tracked as CVE-2025-11953, is being actively exploited by attackers. This flaw, which has been dubbed "Metro4Shell," allows unauthenticated attackers to execute arbitrary commands on affected systems. With a CVSS score of 9.8, the vulnerability is considered critical, and it has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of February 5, 2026.
The vulnerability resides in the Metro Development Server, a component of the React Native Community CLI, which binds to external interfaces by default. This configuration exposes an endpoint vulnerable to OS command injection, enabling attackers to send a POST request to the server and execute arbitrary commands. The flaw, identified as CWE-78, was published on November 3, 2025, and has been exploited in the wild within 93 days of disclosure, highlighting the urgency for remediation.
Proof-of-concept (PoC) exploits for CVE-2025-11953 are already available, with at least three known instances circulating among threat actors. The exploitation of this vulnerability can lead to severe consequences, including unauthorized access to sensitive data, disruption of services, and potential lateral movement within compromised networks.
The React Native Community CLI is widely used by developers for building mobile applications, making this vulnerability particularly concerning due to its potential impact on a broad range of applications and services. The exploitation of this flaw underscores the importance of securing development environments and ensuring that exposed interfaces are properly configured and monitored.
Organizations using the React Native Community CLI are urged to apply patches immediately to mitigate the risk of exploitation. In the absence of a patch, it is critical to implement network-level protections to restrict access to the Metro Development Server and monitor for any suspicious activity that could indicate exploitation attempts.
Security teams should prioritize this vulnerability given its critical nature and active exploitation status. Ensuring that all systems are updated and that proper security controls are in place will help protect against potential attacks leveraging this flaw.
CSURFACE