"Tracked as CVE-2025-11953 (CVSS score of 9.8) and disclosed in early November, the bug impacts the highly popular React Native Community CLI NPM package (@react-native-community/cli), which has roughly two million weekly downloads. It is part of the React Native Community CLI project, which was extracted from the open source framework for improved maintainability, and provides a set of command-line tools for app building."
"Now, VulnCheck mirrors the warning after observing in-the-wild exploitation of the CVE, despite limited public attention. "As of late January, public discussion largely frames CVE-2025-11953 as a theoretical risk rather than an active intrusion vector. This disconnect is where defenders are most likely to be caught unprepared," VulnCheck notes in a fresh report. Advertisement. Scroll to continue reading. The vulnerability intelligence firm, which has named the bug Metro4Shell, observed initial exploitation attempts on December 21, followed by more activity on January 4 and 21,"
A critical-severity vulnerability (CVE-2025-11953, CVSS score 9.8) affects the React Native Community CLI NPM package (@react-native-community/cli), which receives about two million weekly downloads. The CLI is part of the React Native Community project and supplies command-line tools for app building. While many development-server vulnerabilities are exploitable only from a developer's local machine, a separate React Native issue can expose development servers to external attackers. Security researchers observed active exploitation beginning December 21 with additional activity on January 4 and January 21, indicating continuous operational use. Thousands of internet-accessible React Native instances could be at risk.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]