Critical React Native Metro dev server bug under attack • The Register

Staff Editor 2026-02-03
Critical React Native Metro dev server bug under attack • The Register

Critical React Native Metro dev server bug under attack • The Register

https://www.theregister.com/2026/02/03/critical_react_native_metro_server/

Publish Date: 2026-02-03 14:01:00

Source Domain: www.theregister.com

Baddies are exploiting a critical bug in React Native’s Metro development server to deliver malware to both Windows and Linux machines, and yet the in-the-wild attacks still haven’t received the “broad public acknowledgement” that they should, according to security researchers.

The vulnerability affects the React Native Community command line tool, a very popular npm package with nearly 2.5 million weekly downloads. React Native is a development tool created by Meta that allows users to build mobile applications for iOS and Android using JavaScript and React. 

The flaw, tracked as CVE-2025-11953, arises because the Metro development server started by the React Native Community command line tool exposes an endpoint vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run malicious executables. Similarly, on Windows machines, miscreants can abuse the security hole to execute arbitrary shell commands with fully controlled arguments.

JFrog researchers discovered the vulnerability and disclosed it in early November after Meta issued a fix. The research team assigned it a critical, 9.8 CVSS severity rating, meaning it’s almost as bad as bugs get.

Bug hunters wasted no time publishing proof-of-concept exploits on GitHub, with one such POC being published the same day as the public bug disclosure.

“VulnCheck observed exploitation attempts as early as December, well before public discussion framed CVE-2025-11953 as anything more than a theoretical risk,” VulnCheck CTO Jacob Baines told The Register. “This demonstrates how quickly attackers can act once scanning becomes viable, and why developer tooling – widespread, inconsistently monitored, and often not treated as production-grade – represents a particularly attractive early target.”

In a Tuesday blog, Baines said the bug isn’t…

Source

More Stories

Are connected electric vehicles safe? The top threats they face

Are connected electric vehicles safe? The top threats they face

Staff Editor 2026-06-06
Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available

Staff Editor 2026-06-06
Three highlights in latest DHS spending bill

Three highlights in latest DHS spending bill

Staff Editor 2026-06-05

Terms and Conditions - Privacy Policy