Critical React Native Metro Server Bug Under Active Exploitation
Take action: This is now urgent and important. If you're a React Native developer, update @react-native-community/cli-server-api to version 20.0.0 or higher. Your tools are being actively exploited. If you can't update right away, start your Metro server with the --host 127.0.0.1 flag (like `npx react-native start --host 127.0.0.1`). Make sure to patch all projects on your computer and the globally installed version.
Learn More
Meta's React Native framework flaw is being actively exploited.
The exploited flaw is tracked as CVE-2025-11953 (CVSS score 9.8) - An OS command injection vulnerability that exists because the Metro development server exposes a specific endpoint without proper input validation. Attackers send a specially crafted POST request to the /open-url endpoint to run arbitrary shell commands on the host machine. On Windows, this allows miscreants to execute commands with fully controlled arguments, leading to a complete system takeover without authentication.
Security researchers from VulnCheck report that attackers are using this bug to deliver malware to both Windows and Linux workstations.
The observed exploit chain uses a multi-stage PowerShell loader delivered via cmd.exe. First, the attacker sends a base64-encoded command that adds Microsoft Defender exclusion paths for the current and temporary directories to avoid detection. Next, the script opens a raw TCP connection to an attacker-controlled IP to download a UPX-packed binary. Finally, it runs this Rust-based payload, which includes anti-analysis checks to detect if it is running in a sandbox or under static inspection.
These attacks have targeted developers since at least December 2025, using infrastructure across multiple global IP addresses. The primary impact is the unauthorized installation of persistent malware that can exfiltrate data or provide a foothold into corporate networks.
Indicators of compromise include:
- Malicious IP addresses: 65.109.182.231, 223.6.249.141, 134.209.69.155
- Payload hosting servers: 8.218.43.248 and 47.86.33.195
- UPX-packed Windows and Linux binaries (SHA-256: d8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6)
- PowerShell scripts designed to disable endpoint security
Meta has released a fix for the React Native Community command line tool. Organizations should immediately update their npm packages to the latest version and ensure that development servers are not reachable from the public internet.
Since developer tools are often inconsistently monitored, security teams should scan for exposed Metro server instances and review logs for unauthorized POST requests to the /open-url path.
