Full Report
Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package. Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary
Analysis Summary
# Vulnerability: Metro4Shell RCE in React Native CLI
## CVE Details
- CVE ID: CVE-2025-11953
- CVSS Score: 9.8 (Critical)
- CWE: Not specified in the summary description.
## Affected Systems
- Products: Metro Development Server within the `@react-native-community/cli` npm package.
- Versions: All vulnerable versions prior to the patch release (specific versions not detailed in this excerpt).
- Configurations: Exploitation targets environments where the Metro Development Server is reachable.
## Vulnerability Description
The vulnerability resides in the Metro Development Server component of the specified package. It allows remote, unauthenticated attackers to execute arbitrary operating system commands on the underlying host system due to a critical flaw (Metro4Shell).
## Exploitation
- Status: Exploited in the wild (Observed since December 21, 2025, according to VulnCheck).
- Complexity: Not explicitly stated, but the exploitation observed is operational and mature.
- Attack Vector: Network (Remote, Unauthenticated).
**Observed Exploitation Details:**
Actors have used a Base64-encoded PowerShell script to achieve execution. This script was observed:
1. Making Microsoft Defender Antivirus exclusions for the current directory and the temporary folder (`C:\Users\AppData\Local\Temp`).
2. Establishing a raw TCP connection to an external C2 host (`8.218.43[.]248:60124`).
3. Downloading a secondary, Rust-based binary payload that includes anti-analysis checks, writing it to the temporary directory, and executing it.
## Impact
- Confidentiality: High (Arbitrary command execution allows for data exfiltration).
- Integrity: High (Arbitrary command execution allows for system modification).
- Availability: High (Arbitrary command execution can lead to service disruption or system compromise).
## Remediation
### Patches
- Specific patch version information is not provided in this context, but immediate patching is required. Users should consult the official `@react-native-community/cli` release notes for the patched version addressing CVE-2025-11953.
### Workarounds
- No specific workarounds were detailed in this summary, but network segmentation or restricting access to the Metro Development Server endpoint is a strong immediate measure given the remote nature of the exploit.
## Detection
- **Indicators of Compromise (IOCs):**
* Connection attempts to C2 IP: `8.218.43[.]248:60124`.
* External connections originating from processes related to the Metro bundler/development environment.
* Creation of suspicious files/execution of PowerShell scripts in temporary directories (`C:\Users\AppData\Local\Temp`).
* System changes related to Microsoft Defender Antivirus exclusions matching the attack pattern.
* **Detection Methods and Tools:** Network monitoring, Endpoint Detection and Response (EDR) systems focusing on anomalous process execution originating from development tools.
## References
- Vendor Advisories: JFrog documented the flaw initially (November 2025). VulnCheck verified active exploitation.
- Relevant Links:
* VulnCheck observation report: hxxps://www.vulncheck.com/blog/metro4shell_eitw
* NVD entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-11953
* Sample payload detail: hxxps://www.virustotal.com/gui/file/7ecbb0cc88dfa5f187c209a28bd25e8e2d5113bb898a91ae273bca5983130886/details