Critical React Native Metro dev server bug under attack as researchers scream into the void

Baddies are exploiting a critical bug in React Native's Metro development server to deliver malware to both Windows and Linux machines, and yet the in-the-wild attacks still haven't received the "broad public acknowledgement" that they should, according to security researchers.

The vulnerability affects the React Native Community command line tool, a very popular npm package with nearly 2.5 million weekly downloads. React Native is a development tool created by Meta that allows users to build mobile applications for iOS and Android using JavaScript and React. 

The flaw, tracked as CVE-2025-11953, arises because the Metro development server started by the React Native Community command line tool exposes an endpoint vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run malicious executables. Similarly, on Windows machines, miscreants can abuse the security hole to execute arbitrary shell commands with fully ...