The Metro4Shell vulnerability (CVE-2025-11953) is a critical remote code execution (RCE) flaw discovered in the Metro Development Server component of the @react-native-community/cli npm package, a core tool used in React Native mobile app development. First documented by JFrog in November 2025 and actively exploited since December 21, 2025, this vulnerability has a CVSS score of 9.8, indicating its critical severity. It allows unauthenticated remote attackers to execute arbitrary operating system commands on the host running the Metro server. The attack chain involves sending specially crafted requests that trigger command execution without requiring authentication or user interaction. Exploits observed in the wild deliver Base64-encoded PowerShell scripts that perform multiple malicious actions: they disable Microsoft Defender Antivirus exclusions for the working directory and temporary folders, establish raw TCP connections to attacker-controlled servers, download additional payloads, and execute them. The downloaded binaries are written in Rust and incorporate anti-analysis techniques to evade detection and static inspection. The attacks are persistent and operational rather than exploratory, indicating active exploitation campaigns targeting development infrastructure. This is significant because development servers, often overlooked in security postures, become de facto production infrastructure when exposed to networks. The vulnerability affects all versions of the Metro Development Server prior to patching, and no specific affected versions were listed, implying widespread impact. The threat actors use multiple IP addresses for attacks, suggesting coordinated campaigns. The Metro4Shell flaw underscores the risks of supply chain and development tool vulnerabilities, especially in open-source ecosystems like npm, where compromised build tools can lead to widespread downstream impacts.

For European organizations, the Metro4Shell vulnerability presents a critical risk to the confidentiality, integrity, and availability of software development environments and potentially production systems. Organizations using React Native CLI and Metro Development Server in their development pipelines may face unauthorized code execution, leading to full system compromise, data exfiltration, and lateral movement within corporate networks. The delivered payloads disable endpoint protections, increasing the risk of persistent malware infections and further exploitation. Given the reliance on React Native for mobile app development across Europe, especially in technology, finance, and telecommunications sectors, exploitation could disrupt development workflows, delay product releases, and expose sensitive intellectual property. Additionally, compromised development infrastructure can serve as a launchpad for supply chain attacks, impacting customers and partners downstream. The operational nature of the attacks indicates threat actors are actively targeting these environments, increasing the likelihood of successful breaches. The impact is exacerbated in organizations with exposed or poorly segmented development servers, inadequate monitoring, or delayed patching processes.

1. Immediate patching: Apply all available security updates to the @react-native-community/cli npm package and Metro Development Server to remediate the vulnerability. 2. Network segmentation: Isolate development infrastructure from production and external networks to limit exposure and reduce attack surface. 3. Access controls: Restrict access to Metro Development Server instances using strong authentication, IP whitelisting, and VPNs to prevent unauthorized connections. 4. Endpoint protection tuning: Review and adjust antivirus and endpoint detection rules to prevent exclusions that attackers exploit; monitor for suspicious PowerShell activity and network connections. 5. Monitoring and detection: Deploy network and host-based intrusion detection systems to identify anomalous TCP connections, unusual file writes in temporary directories, and execution of unknown binaries. 6. Incident response readiness: Prepare to investigate and remediate potential compromises by collecting logs, performing forensic analysis, and isolating affected systems promptly. 7. Supply chain risk management: Audit dependencies and build pipelines for exposure to vulnerable versions and implement strict code signing and integrity verification. 8. Developer awareness: Educate development teams about the risks of exposing development servers and enforce secure development environment practices. 9. Use runtime application self-protection (RASP) and behavior-based detection tools to identify exploitation attempts in real-time. 10. Regularly review firewall and proxy rules to block known malicious IP addresses associated with the attacks.