🥶 Review of Metro4Shell CVE‑2025‑11953
Salute,
An interesting vulnerability in the React Native Community CLI (Metro dev server) has begun to appear everywhere, which can help you understand RCE-type attacks in more detail.
RCE (Remote Code Execution) is a remote code execution in which an attacker can remotely execute arbitrary commands on the target system without physical access to it. That is, it occurs due to a bug that allows the application data to be replaced instead of the embedded logic.
INTRO CVE‑2025‑11953
JFrog discovered a Critical RCE vulnerability: Metro binds to external interfaces and provides an HTTP endpoint: /open-url, which passes unvalidated input to the open() function from the open npm package, which leads to OS Command Injection.
CVE‑2025‑11953 allows unauthenticated OS command execution on exposed Metro dev servers, with attacks deploying PowerShell and a Rust payload
Allows an unauthenticated attacker to send a POST request to /open-url and execute an arbitrary executable file or shell on a machine running Metro dev server, which affects versions of @react-native-community/cli-server-api from 4.8.0 to 20.0.0-alpha.2, used by the standard react-native run-android, run-ios, start commands.
The attackers scan for available Metro ports (8081) and send a POST to /open-url with a Base64 PowerShell payload. The VulnCheck example script adds exceptions to Microsoft Defender, establishes a TCP connection to the C2 server 8.218.43.248:60124, downloads the Rust binary to a temporary directory and runs it, providing RCE and possible pinning.
Here you clearly see the risks of leaking confidential data on the infrastructure, as well as cybercrime.
Opportunities
• Full RCE of the launched Metro
• Access to source code and configurations of dev projects, including .env, cloud tokens, VPN configs, SSH keys
• Dev cars as a pivot point for lateral movement in the corporate network (similarly, Vice Society/Magniber used PrintNightmare to distribute ransomware, check my separate analytics that I gave for the lab here)
Exploitation of vulnerability
• masscan/ nmap/ shodan to search for Metro, as well as open ports like 8081 and the presence of /open-url
• Sending a crafted POST request to /open-url with the PowerShell launch parameter or Base64-encoded powershell shell -EncodedCommand
• Payload PowerShell disables SAVZ (antivirus), downloads Rust bin, launches it and the attacker gets stable remote access and the ability to perform further operations
Risk Reduction Measures
• React Native Community @react-native-community/cli to versions in which CVE‑2025‑11953 is fixed according to information from the Wiz/NVD databases
• Bind the Metro dev server to 127.0.0.1, instead of 0.0.0.0, and close the port with a firewall for external addresses
• Check lock files: package-lock.json, yarn.lock, pnpm-lock.yaml on the dependency tree
• Monitoring requests to /open-url and PowerShell with Base64‑payload
• Prohibition on outgoing connections to suspicious hosts and ports, as an example 8.218.43.248:60124
• Update secrets
• Ban Metro on cars accessible directly from the Internet, and on shared servers
• Check for suspicious binaries in temporary directories, scheduler tasks, services
• Minimize the rights of local KM developers, namely, use separate accounts/tokens for especially privileged operations (Segregation-of-Duties)
Footnote
8081 - alternative HTTP for web services, dev servers and administration panels. It runs over TCP and usually services HTTP traffic, like port 80. It is also used as a port for internal web consoles and management systems (CI/CD, security consoles, application admin panels, dev/test servers).
#research #riskanalysis #appsec #specialty #pmcases #term