Security reinforcement following the critical exploitation of Metro4Shell in React Native environments

In early 2026, active exploitation of a critical vulnerability in the React Native Metro development server, identified as CVE-2025-11953 and nicknamed Metro4Shell, was confirmed. This flaw was originally disclosed in November 2025, with a CVSS score of 9.8 due to its ability to allow remote code execution without authentication on systems where the server is exposed to the network. In February 2026, agencies such as the US Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in their catalog of known exploited vulnerabilities (KEV), confirming its use in real attacks.
Malicious actors have been exploiting this flaw in React Native development servers to compromise developers' machines and CI/CD pipelines. The vulnerability exists in the ‘@react-native-community/cli-server-api’ package, which by default causes Metro to listen on all network interfaces, allowing an attacker to send a specially crafted POST request to the ‘/open-url’ endpoint and gain arbitrary command execution on the target system. To mitigate the risk, patches (version 20.0.0 or higher of the affected package), recommendations to restrict the server to localhost, and measures to monitor anomalous activity have been published.
The situation remains under intense scrutiny at present, with a strong recommendation to apply patches and tighten development configurations to mitigate further intrusions. Although the distributor and the React Native community have released fixes and authorities such as CISA have issued official alerts, many Metro instances remain exposed, meaning that the risk persists if the network is not properly updated and segmented.