CVE-2025-11953

Name of the Vulnerable Software and Affected Versions React Native Community CLI versions 4.8.0 through 20.0.0-alpha.2

Description The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run arbitrary executables. On Windows, attackers can also execute arbitrary shell commands with fully controlled arguments. Active exploitation of this vulnerability, dubbed "Metro4Shell" (CVE-2025-11953), has been observed in the wild, with attackers deploying PowerShell loaders to disable Microsoft Defender and deliver Rust-based malware. Approximately 3,500 servers are estimated to be exposed. The vulnerability resides in the /open-url endpoint, where the url parameter is passed to the open() function without proper validation. This allows attackers to execute commands on the system.

Recommendations React Native Community CLI versions prior to 20.0.0 are vulnerable. Update to version 20.0.0 or later to address this vulnerability. If updating is not immediately possible, bind the Metro server to localhost (127.0.0.1) to prevent external access. Implement network segmentation to isolate development environments. Monitor for anomalous POST requests to the /open-url endpoint.