Full Report
Too slow react-ion time Baddies are exploiting a critical bug in React Native's Metro development server to deliver malware to both Windows and Linux machines, and yet the in-the-wild attacks still haven't received the "broad public acknowledgement" that they should, according to security researchers.…
Analysis Summary
# Vulnerability: Critical OS Command Injection in React Native Metro Development Server
## CVE Details
- CVE ID: CVE-2025-11953
- CVSS Score: 9.8 (Critical)
- CWE: OS Command Injection
## Affected Systems
- Products: React Native Community command line tool (which runs the Metro development server)
- Versions: Versions prior to the patched release (specific vulnerable version range not detailed, but fixed via a commit).
- Configurations: Any environment running the Metro development server started by the CLI, especially when exposed to the network.
## Vulnerability Description
The vulnerability resides in the Metro development server component started by the React Native Community command line tool. The server exposes an endpoint vulnerable to OS command injection via an unauthenticated POST request. This flaw allows a remote, unauthenticated attacker to execute arbitrary system commands on the machine hosting the development server. On Linux/Unix systems, this allows running malicious executables, and on Windows, it allows executing arbitrary shell commands with fully controlled arguments.
## Exploitation
- Status: Exploited in the wild (Observed since December)
- Complexity: Low, as it appears to be achievable via a simple unauthenticated POST request.
- Attack Vector: Network
## Impact
- Confidentiality: High (Ability to execute arbitrary code likely grants significant access to system files)
- Integrity: High (Arbitrary code execution allows for system modification)
- Availability: High (Can lead to system compromise or denial of service)
## Remediation
### Patches
- A fix was issued by Meta in the React Native Community CLI repository via commit `15089907d1f1301b22c72d7f68846a2ef20df547`. Users must update to the version containing this commit or later.
### Workarounds
- Restrict network access to the Metro development server (default port 8081) to only trusted internal networks or developers.
- Ensure the CLI is not run on internet-facing servers unless strictly necessary and tightly controlled.
## Detection
- Indicators of Compromise (IoCs):
- Outbound connections from the host running the Metro server to `8.218.43.248:60124` or `47.86.33.195:60130`.
- Execution of PowerShell commands that interact with `cmd.exe` used for initial payload delivery.
- Evidence of Microsoft Defender protection being disabled before payload execution.
- Appearance of Rust-based binaries with anti-analysis features running.
- Detection Methods and Tools:
- Network monitoring for unexpected POST requests targeting the Metro server port (default 8081).
- Endpoint Detection and Response (EDR) solutions should flag disabling security products (like Defender) followed by subsequent binary execution.
## References
- Vendor Advisory/Fix: h t t p s: / / g i t h u b. c o m / r e a c t - n a t i v e - c o m m u n i t y / c l i / c o m m i t / 1 5 0 8 9 9 0 7 d 1 f 1 3 0 1 b 2 2 c 7 2 d 7 f 6 8 8 4 6 a 2 e f 2 0 d f 5 4 7
- Research/Advisory: h t t p s: / / j f r o g. c o m / b l o g / c v e - 2 0 2 5 - 1 1 9 5 3 - c r i t i c a l - r e a c t - n a t i v e - c o m m u n i t y - c l i - v u l n e r a b i l i t y /
- Exploitation Deep Dive: h t t p s: / / w w w. v u l n c h e c k. c o m / b l o g / m e t r o 4 s h e l l _ e i t w # t r a i n - s p o t t i n g