Metro4Shell (CVE-2025-11953): RCE in React Native Dev Server

A critical Remote Code Execution vulnerability has been discovered in the Metro Development Server used in React Native development environments, and recent attack activity has been observed exploiting this flaw to distribute malicious payloads.

The vulnerability, tracked as CVE-2025-11953 and referred to as Metro4Shell, originates from an OS Command Injection issue in the /open-url endpoint, which is provided for development convenience.

This issue is particularly noteworthy because it targets development environments rather than production servers. The Metro Dev Server can be bound to external interfaces depending on configuration, and if improperly configured, it may be exposed to the internet.

Attackers can take advantage of such environments to execute operating system commands without authentication, and confirmed cases show that this has led to the distribution of actual malicious payloads.

## Vulnerability Overview (Metro4Shell) ##

• CVE: CVE-2025-11953 (Metro4Shell)

• Vulnerability Type: OS Command Injection leading to Remote Code Execution

• Affected Versions: @react-native-community/cli-server-api versions 4.8.0 up to but not including 20.0.0

• Mitigation: Update to version 20.0.0 or later

  
  

The core issue lies in the failure to properly validate and escape input values passed to the /open-url endpoint. As a result, attacker-controlled input is directly passed into the operating system command execution context.

In Windows environments, this can lead directly to command execution through cmd.exe or powershell.exe.

## Attack Flow ##

## IoC (Indicators of Compromise) ##

Network

Exploitation Source IP

- 65[.]109[.]182[.]231

- 223[.]6[.]249[.]141

- 134[.]209[.]69[.]155

C2

- 8[.]218[.]43[.]248[:]60124

- 47[.]86[.]33[.]195[:]60130

File

Drop Filename

- `jzDjiQKu.exe`

- Windows

  - SHA1: 61450287ebd524cde1a500d91c334cfb49f85db0

  - SHA256: d8337df3aff749250557bf11daf069eb404cce0e6f4f91c6bd6d3f78aed6e9d6

- Windows

   - SHA1: 112304bb4f33176d06e6291e95b58cbcf6fca2c5

   - SHA256: 7ecbb0cc88dfa5f187c209a28bd25e8e2d5113bb898a91ae273bca5983130886

- Linux 

  - SHA1: 18d232d04d35d31f20d4549fa5f52f3afdb5d2d6

  - SHA256: d1886b189474b02467ed2845df0938cec9785e99c3d4b04e0b7de3cafbee4182

- Linux

   - SHA1: cdc8472732cd7419fad4ba36d0d7657158bd0634

   - SHA256: 6686d4baa9d483da27ba84dab85e96e42b790b608571de7bcb07a1fd7c975fe3

## PAGO MDR Response Direction and Implications ##

The Metro4Shell case clearly demonstrates that the long-standing assumption that development environments are inherently safe is no longer valid.

Rather than targeting production servers, attackers used developer PCs, CI servers, and testing environments as initial entry points. Development convenience components such as the Metro Dev Server were leveraged as relatively less protected attack surfaces.

In particular, this case goes beyond a simple vulnerability disclosure because:

• Real malicious payloads have been identified

• Repeated exploitation attempts were observed from multiple external IP addresses

• The attack infrastructure supports both Windows and Linux platforms, indicating a multi-platform operational structure

These characteristics suggest an active attack campaign rather than isolated exploitation attempts.

In response to these threat characteristics, PAGO MDR:

• Monitors global attack trends in real time, including exploitation scenarios targeting development environments such as Metro4Shell

• Integrates confirmed malicious file IOCs into a Global Blocklist, applying protections immediately across all customer environments

In addition, related network indicators and behavioral signals are centrally managed within the MDR monitoring dashboard, enabling rapid detection, isolation, and response when similar attack patterns emerge.

This case demonstrates that development and testing environments require the same level of visibility and control as production servers. PAGO MDR provides an operational framework that proactively controls threat events across the full attack surface, including these often overlooked environments.

Written by: Yoshi Lee

Threat Analyst | DeepACT MDR Center