Ethical Hacking News
Hackers have exploited a critical vulnerability in the popular React Native Metro server to deliver malicious payloads and breach developer systems. According to reports, the bug was first reported by researchers at JFrog software supply-chain security company, who disclosed it in early November 2025. The attack was dubbed Metro4Shell and used a post-exploitation payload for Windows and Linux payloads.
The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 and was fixed in version 20.0.0 and later. According to reports, an unauthenticated attacker can leverage the security issue to execute arbitrary OS commands via a POST request.
Security experts are warning developers about the potential risks of using React Native Metro without taking adequate precautions against exploitation by hackers. The discovery highlights the importance of patching vulnerabilities in software supply-chain components to prevent malicious actors from exploiting them.
Hackers exploited a critical vulnerability in React Native Metro server (CVE-2025-11953) to deliver malicious payloads and breach developer systems. The bug was due to the /open-url HTTP endpoint accepting unsanitized user-supplied URL values, allowing arbitrary OS commands on Windows and Linux/macOS execution of arbitrary executables. Multiple proof-of-concept exploits emerged after public disclosure of the flaw, and hackers were found exploiting the bug in February 2026 to breach developer systems (Metro4Shell). Security experts warn developers about potential risks of using React Native Metro without adequate precautions against exploitation by hackers. Patching vulnerabilities in software supply-chain components is crucial to prevent malicious actors from exploiting them, and some companies have started issuing advisories and patches for their systems.
In a concerning development that has left security experts scrambling, hackers have exploited a critical vulnerability in the popular React Native Metro server to deliver malicious payloads and breach developer systems. The bug, identified as CVE-2025-11953, was first reported by researchers at JFrog software supply-chain security company, who disclosed it in early November 2025.
According to reports, the issue was the /open-url HTTP endpoint accepting POST requests containing a user-supplied URL value that could be passed unsanitized to the ‘open()’ function. This allowed an attacker to execute arbitrary OS commands on Windows and run arbitrary executables with limited parameter control on Linux and macOS.
JFrog researchers noted that, by default, Metro can bind to external network interfaces and expose development-only HTTP endpoints (/open-url) for local use during development. This exposed the system to potential exploitation by malicious actors seeking to breach developer systems.
The vulnerability affected @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 and was fixed in version 20.0.0 and later. Researchers at JFrog discovered the flaw and disclosed it in early November 2025.
In a post at the time, they said that the issue was the /open-url HTTP endpoint accepting POST requests containing a user-supplied URL value that could be passed unsanitized to the ‘open()’ function.
The flaw affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 and was fixed in version 20.0.0 and later.
In December 2025, vulnerability intelligence company VulnCheck observed a threat actor exploiting CVE-2025-11953, dubbed Metro4Shell. The activity continued to deliver the same payloads on January 4th and 21st.
According to reports, an unauthenticated attacker can leverage the security issue to execute arbitrary OS commands via a POST request. On Linux and macOS, the vulnerability can lead to running arbitrary executables with limited parameter control.
Researchers at JFrog noted that multiple proof-of-concept exploits emerged after the public disclosure of the flaw.
In February 2026, hackers were found exploiting the critical React Native Metro bug to breach developer systems. The attack was dubbed Metro4Shell and used a post-exploitation payload for Windows and Linux payloads.
According to VulnCheck, the exploitation delivered advanced payloads on both Linux and Windows, demonstrating that Metro4Shell provides a practical cross-platform initial access mechanism.
In this context, security experts are warning developers about the potential risks of using React Native Metro without taking adequate precautions against exploitation by hackers. The discovery highlights the importance of patching vulnerabilities in software supply-chain components to prevent malicious actors from exploiting them.
In response to the attack, some companies have started issuing advisories and patches for their systems.
For developers using React Native Metro, security experts are advising users to keep their software up-to-date with the latest versions and to take other measures to protect their systems against exploitation by hackers.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Leverage-Critical-React-Native-Metro-Bug-for-Dev-Systems-Breach-ehn.shtml
Published: Tue Feb 3 12:28:53 2026 by llama3.2 3B Q4_K_M
