Overview
- VulnCheck observed consistent in‑the‑wild exploitation on December 21, January 4, and January 21, indicating ongoing operational use rather than testing.
- The flaw enables unauthenticated POST requests to execute operating system commands on Metro, while Linux and macOS can run arbitrary executables with limited parameter control.
- Attacks deliver a base64‑encoded PowerShell loader that disables Microsoft Defender, opens a raw TCP connection to attacker infrastructure, and pulls a Rust UPX‑packed payload for Windows or Linux.
- CVE‑2025‑11953 affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0‑alpha.2 and is fixed in 20.0.0+, with exposure driven by Metro binding to external interfaces and development endpoints such as /open-url.
- Roughly 3,500 Metro servers are exposed online per ZoomEye scans, and despite a CVSS 9.8 rating and published IoCs from VulnCheck, risk scores remain low and defenders are urged to patch or restrict access immediately.