VulnHub

Real-time Cybersecurity News

Hackers Exploit Metro4Shell RCE Flaw in React Native CLI npm Package

The Hacker News
Actively Exploited
CVEExploitVulnerabilityRCECritical

Overview

A serious security vulnerability, identified as CVE-2025-11953 and nicknamed Metro4Shell, has been discovered in the Metro Development Server, which is part of the '@react-native-community/cli' npm package. This flaw, rated 9.8 on the CVSS scale, allows remote attackers to execute arbitrary code without authentication. Researchers from VulnCheck first detected active exploitation of this vulnerability on December 21, 2025. This poses a significant risk for developers and organizations using this package, as it could lead to unauthorized control over their systems. Users of the affected npm package need to take immediate action to protect their applications.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: Metro Development Server in the '@react-native-community/cli' npm package.
  • Action Required: Developers should update their '@react-native-community/cli' package to the latest version to mitigate the vulnerability.
  • Timeline: Ongoing since December 21, 2025

Original Article Summary

Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular "@react-native-community/cli" npm package. Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary

Impact

Metro Development Server in the '@react-native-community/cli' npm package.

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Ongoing since December 21, 2025

Remediation

Developers should update their '@react-native-community/cli' package to the latest version to mitigate the vulnerability. They should also review their server configurations and implement security best practices to limit exposure to such attacks.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to CVE, Exploit, Vulnerability, and 2 more.

Read Original Article

Related Coverage

Cantwell claims telecoms blocked release of Salt Typhoon report

CyberScoop

Senator Maria Cantwell from Washington is pushing for hearings to investigate how AT&T and Verizon have responded to recent cyberattacks targeting telecom networks. She claims that these companies have obstructed the release of a report known as Salt Typhoon, which likely contains critical information about the hacks. Cantwell's calls for transparency come amid growing concerns about the security of telecommunication infrastructure, especially as it plays a vital role in national security and everyday communications. The outcome of these hearings could lead to increased accountability for telecom companies in how they protect their networks and respond to breaches.

Feb 3, 2026

What’s next for DHS’s forthcoming replacement critical infrastructure protection panel, AI information sharing

CyberScoop

Nick Andersen, a senior official at the Cybersecurity and Infrastructure Security Agency (CISA), recently outlined plans to enhance the Critical Infrastructure Partnership Advisory Council (CIPAC) and establish an Artificial Intelligence Information Sharing and Analysis Center (AI-ISAC). These initiatives aim to improve collaboration among government agencies and private sector organizations to better protect critical infrastructure. The focus on AI in cybersecurity reflects growing concerns about the potential risks and vulnerabilities associated with emerging technologies. The establishment of the AI-ISAC would facilitate the sharing of information related to AI threats, helping organizations stay ahead of potential cyber attacks. This move is significant as it underscores the need for updated frameworks to address the evolving landscape of cybersecurity challenges.

Feb 3, 2026

Ivanti’s EPMM is under active attack, thanks to two critical zero-days

CyberScoop

Ivanti's Endpoint Manager Mobile (EPMM) is currently facing serious security threats due to two newly discovered zero-day vulnerabilities. Initial limited attacks were reported before Ivanti made its findings public, but since then, numerous threat groups have exploited these weaknesses, leading to a surge in attacks. More than 1,400 instances of EPMM remain exposed, putting organizations at risk of unauthorized access and data breaches. This situation is alarming as it highlights the vulnerabilities in widely used software, prompting urgent action from affected users to protect their systems. Companies using EPMM should prioritize patching and securing their environments to mitigate the risks associated with these vulnerabilities.

Feb 3, 2026

GlassWorm Malware Returns to Shatter Developer Ecosystems

darkreading

A new wave of GlassWorm malware has been detected, targeting Open VSX software components. This self-replicating malware has infiltrated various development environments, leading to infections that steal sensitive information from users. As developers integrate these compromised components, they unknowingly expose their systems and data to potential breaches. The implications are significant, as downstream victims may suffer from data theft and loss of trust in their development tools. Developers and organizations using these components need to take immediate action to secure their environments and mitigate the risks associated with this malware.

Feb 3, 2026

Wave of Citrix NetScaler scans use thousands of residential proxies

BleepingComputer

Recently, a coordinated effort has been observed targeting Citrix NetScaler systems through a large-scale scanning operation. This campaign utilized tens of thousands of residential proxies to locate login panels, indicating a significant interest in potentially exploiting these systems. Organizations using Citrix NetScaler may be at risk, as the scans could lead to unauthorized access or data breaches if vulnerabilities are found. The use of residential proxies suggests that the attackers are trying to mask their activities and avoid detection. This incident serves as a reminder for companies to strengthen their security measures and monitor their networks for unusual activity.

Feb 3, 2026

CISA flags critical SolarWinds RCE flaw as exploited in attacks

BleepingComputer

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a serious vulnerability in SolarWinds Web Help Desk that is currently being exploited in active attacks. This flaw poses a risk to federal agencies, which have been instructed to apply necessary patches within three days to mitigate potential damage. The urgency of the situation underscores the importance of maintaining up-to-date systems, especially for organizations that rely on SolarWinds products. If left unaddressed, this vulnerability could lead to unauthorized access and compromise sensitive data, affecting not just government agencies but potentially their partners and clients as well. The situation is a reminder for all users of SolarWinds software to remain vigilant and ensure their systems are secure.

Feb 3, 2026