CVE- 2025-11953, known as Metro4Shell, is a critical flaw in the React Native Community CLI Metro development server that allows unauthenticated OS command execution when the service is exposed beyond localhost. According to VulnCheck, exploitation has been observed in the wild, with activity beginning on 21 December 2025 and continuing into early January 2026.
The vulnerability affects the @react-native-community/cli-server-api package, with vulnerable versions ranging from 4.8.0 through 20.0.0-alpha.2, and patches released to fixed versions including 18.0.1, 19.1.2, and 20.0.0 and later. Exploitation typically targets an exposed Metro instance by sending unauthenticated POST requests to the /open-url endpoint, potentially leading to remote code execution with the privileges of the user running Metro.
Defenders are advised to upgrade to a fixed version and harden exposure, for example by binding Metro to localhost and restricting inbound network access. The issue does not directly impact production React Native apps but poses risk to developer workstations and CI environments when Metro is reachable from other networks.