Metro4Shell Vulnerability Exploited by Hackers
A critical security flaw, known as Metro4Shell or CVE-2025-11953, has been discovered in the Metro Development Server of the popular @react-native-community/cli npm package. This vulnerability allows remote unauthenticated attackers to execute arbitrary code, posing a significant threat to users of the React Native framework.
Cybersecurity company VulnCheck first observed the exploitation of this vulnerability on December 21, 2025. With a CVSS score of 9.8, the Metro4Shell vulnerability is considered highly severe, making it a prime target for threat actors.
- The vulnerability affects the Metro Development Server in the @react-native-community/cli npm package.
- It allows remote unauthenticated attackers to execute arbitrary code.
- The CVSS score of 9.8 indicates a highly severe vulnerability.
- Exploitation of the vulnerability was first observed on December 21, 2025.
Users of the React Native framework are advised to take immediate action to protect themselves from this vulnerability. This includes updating the @react-native-community/cli package to the latest version and monitoring their systems for any signs of exploitation.
Cybersecurity is not just a technical issue; it is a human issue.
Recent Comments
No comments on this post yet. Be the first to comment 🙂