71/69 Thursday, February 5, 2026
Researchers from vulnerability intelligence firm VulnCheck have revealed that a critical vulnerability in the React Native platform has been actively exploited since late December. The flaw, tracked as CVE-2025-11953, carries a CVSS score of 9.8 (Critical) and affects the widely used @react-native-community/cli package, a key tool for developing React Native applications. Although initially considered a theoretical risk, VulnCheck has confirmed that real-world exploitation is now underway.
The vulnerability, dubbed Metro4Shell, originates in Metro, the JavaScript bundler and development server used during the build and testing phases of React Native apps. Metro’s default configuration may allow connections from external networks, enabling attackers to execute operating system commands remotely without authentication through simple POST requests. VulnCheck observed multiple waves of attacks throughout December and January and estimates that many internet-exposed React Native servers remain at risk.
Analysis of the attacks shows that threat actors deploy multi-stage PowerShell scripts to disable security protections such as Microsoft Defender before downloading and executing malware. The final payload is written in Rust and incorporates basic evasion techniques. This incident highlights how development infrastructure can quickly become an attack surface if exposed externally. VulnCheck therefore recommends that organizations and developers review development server configurations, restrict external access, and apply patches promptly to reduce the risk of compromise.
Source https://www.securityweek.com/critical-react-native-vulnerability-exploited-in-the-wild/
