Hackers exploit critical React Native Metro bug to breach dev systems

Published:

3 februari 2026 om 14:00:00

Alert date:

3 februari 2026 om 15:01:19

Source:

bleepingcomputer.com

Web Technologies, Supply Chain & Dependencies, Zero-Day Vulnerabilities

Hackers are actively exploiting CVE-2025-11953, a critical vulnerability in React Native's Metro server, to target developers and breach development systems. The vulnerability allows attackers to deliver malicious payloads to both Windows and Linux systems. This represents a significant supply chain attack vector targeting the development ecosystem. The exploitation appears to be ongoing and poses a high risk to organizations using React Native development environments.

Technical details

CVE-2025-11953 is a critical vulnerability in Metro server for React Native that allows unauthenticated attackers to execute arbitrary OS commands via POST requests on Windows, and run arbitrary executables with limited parameter control on Linux/macOS. The vulnerability exists in the /open-url HTTP endpoint which accepts POST requests containing unsanitized URL values passed to the 'open()' function. Attackers deliver base64-encoded PowerShell payloads that disable Windows Defender exclusions, establish TCP connections to attacker infrastructure, download and execute malicious binaries. The Windows payload is a Rust-based UPX-packed binary with anti-analysis logic.

Mitigation steps:

Update @react-native-community/cli-server-api to version 20.0.0 or later. Organizations should not wait for CISA KEV inclusion before taking action. Monitor for indicators of compromise provided in VulnCheck's report including attacker network infrastructure and payload signatures.

Affected products:

@react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2
React Native Metro server