Ethical Hacking News
A critical bug in React Native's Metro development server has been identified as a potential threat to mobile application security. The vulnerability allows attackers to deliver malware to both Windows and Linux machines, despite being discovered in early November. The cybersecurity community must remain vigilant in monitoring this vulnerability and providing timely warnings to prevent exploitation.
The Metro development server in React Native's popular tool has been compromised with a critical bug allowing malware delivery to Windows and Linux machines. The vulnerability arises from an endpoint vulnerable to OS command injection, enabling unauthenticated attackers to execute arbitrary shell commands on Windows. The first wave of exploitation began in December, with attacks delivering malicious payloads using PowerShell-based loaders. The bug is receiving limited attention from the cybersecurity community, despite its critical severity rating and potential impact on mobile app security. Developers should prioritize patching the vulnerability to protect their mobile applications from potential attacks.
Meta's popular React Native development tool, the Metro development server, has been compromised by a critical bug that allows attackers to deliver malware to both Windows and Linux machines. Despite being discovered in early November, the vulnerability, tracked as CVE-2025-11953, is still not receiving the attention it deserves from the cybersecurity community.
The bug arises because the Metro development server exposes an endpoint vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run malicious executables. On Windows machines, miscreants can abuse the security hole to execute arbitrary shell commands with fully controlled arguments. The vulnerability was assigned a critical, 9.8 CVSS severity rating by JFrog researchers, indicating its potential impact on mobile application security.
The first wave of exploitation began in December, with more attacks delivering the same payloads observed on January 4 and January 21. These attacks used a multi-stage PowerShell-based loader delivered through cmd.exe, and the code disabled Microsoft Defender protections before retrieving and running the payload: a Rust-based binary with anti-analysis features, including runtime checks to help avoid detection via static inspection.
The attackers' tactics, techniques, and procedures (TTPs) suggest that they anticipated the presence of endpoint security controls and incorporated evasion measures into the initial execution flow. The deliberate disabling of Microsoft Defender protections before payload retrieval indicates a level of sophistication and preparation on the part of the threat actors.
According to VulnCheck CTO Jacob Baines, the bug is not receiving the attention it deserves. "Now, more than a month after initial exploitation in the wild, that activity has yet to see broad public acknowledgment, and EPSS [the Exploit Prediction Scoring System] continues to assign a low exploitation probability of 0.00405," he wrote in a Tuesday blog. This gap between observed exploitation and wider recognition matters, particularly for vulnerabilities that are easy to exploit and exposed on the public internet.
The attacks originated from IP addresses 65.109.182.231, 223.6.249.141, and 134.209.69.155, with the "windows" payload hosted at 8.218.43.248:60124, and 47.86.33.195:60130 hosting both a "windows" and "linux" binary.
The vulnerability in React Native's Metro development server is a serious reminder of the importance of staying up-to-date with security patches and using reputable sources for software downloads. Developers who rely on this tool should prioritize patching the vulnerability as soon as possible to protect their mobile applications from potential attacks.
In light of this incident, it is essential to reassess our approach to developer tooling and ensure that these tools are treated as production-grade, rather than just being used for development purposes. The cybersecurity community must remain vigilant in monitoring vulnerabilities like CVE-2025-11953 and providing timely warnings to prevent exploitation.
Ultimately, the discovery of this critical bug highlights the importance of ongoing security research and collaboration between developers, researchers, and vendors. By working together, we can identify and address vulnerabilities before they are exploited by malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-React-Native-Metro-Dev-Server-Bug-Under-Attack-A-Threat-to-Mobile-Application-Security-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/03/critical_react_native_metro_server/
https://www.theregister.com/2026/02/03/critical_react_native_metro_server/
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-react-native-metro-bug-to-breach-dev-systems/
https://nvd.nist.gov/vuln/detail/CVE-2025-11953
https://www.cvedetails.com/cve/CVE-2025-11953/
Published: Tue Feb 3 19:59:52 2026 by llama3.2 3B Q4_K_M
