A serious vulnerability dubbed CVE-2025-11953, otherwise known as Metro4Shell, was discovered. This vulnerability deeply endangers the Metro Development Server included with the “@react-native-community/cli” npm package. A major vulnerability recently came to light with a CVSS score of 9.8. This vulnerability allows remote unauthenticated attackers to run arbitrary operating system commands on the affected host. VulnCheck was the first to discover this shocking security flaw on December 21, 2025. It still raises major red flags with developers and cybersecurity professionals.
The vulnerability affects the commonly used React Native CLI package, which is foundational for many developers to build mobile applications. Attackers have been noted to exploit this flaw, with the activity traced back to specific IP addresses: 5.109.182.231, 223.6.249.141, and 134.209.69.155. The exploits utilize a PowerShell script that establishes a raw TCP connection to an attacker-controlled host at “8.218.43.248:60124”. As expected, this harmful PowerShell script downloads data, saves it to a temporary file, and runs it, ultimately breaching system defenses.
Timeline of Discovery and Exploitation
JFrog has written extensively about the story behind CVE-2025-11953 back in November 2025. Though this documentation focused on the threat vector and risk severity, the vulnerability itself had international implications. As Malwarebytes notes, in December, VulnCheck reported the first successful exploitation. What this means is that threat actors have been actively exploiting this vulnerability for over a month.
Although the exploitation continues unabated, there has not been a public outcry or even widespread public recognition of the problem. Defense professionals emphasize the importance of addressing these vulnerabilities as quickly as possible. This is doubly important when they touch on development infrastructure that bad faith actors can just as easily target.
“CVE-2025-11953 is not remarkable because it exists. It is remarkable because it reinforces a pattern defenders continue to relearn. Development infrastructure becomes production infrastructure the moment it is reachable, regardless of intent.” – VulnCheck
Government Response and Community Awareness
The Cybersecurity and Infrastructure Security Agency (CISA) released an alert. They’re issuing a call to action for the developers and organizations who depend on the “@react-native-community/cli” package to be aware of this critical vulnerability. The agency wastes no time in moving to curb possible dangers associated with this defect. In addition, they advocate for awareness within the developer community.
The CISA warning serves as a recent reminder of this dynamic and always evolving cybersecurity threat environment. It highlights the continuing importance for software developers to be on guard 24/7. It’s important for all companies and organizations to be aware of vulnerabilities like these and take proactive steps to address them.
Implications for Developers
The research into CVE-2025-11953 points to the difficult reality that developers will continue to have a hard time securing their applications. That attackers’ ability to execute arbitrary commands remotely should highlight the importance of good security practices.
The React Native community is urging developers to reconsider their current use of the “@react-native-community/cli” package. They urge the need to immediately harden systems before they can be exploited. If we’ve learned anything, it’s that threats continue to evolve. To protect dev and prod environments alike, it is important to remain vigilant for vulnerabilities such as Metro4Shell.
