{"id":209732,"date":"2026-02-03T14:01:00","date_gmt":"2026-02-03T19:01:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/03\/critical-react-native-metro-dev-server-bug-under-attack-the-register\/"},"modified":"2026-02-03T19:40:11","modified_gmt":"2026-02-04T00:40:11","slug":"critical-react-native-metro-dev-server-bug-under-attack-the-register","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/03\/critical-react-native-metro-dev-server-bug-under-attack-the-register\/","title":{"rendered":"Critical React Native Metro dev server bug under attack \u2022 The Register"},"content":{"rendered":"<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/03\/critical_react_native_metro_server\/\">Critical React Native Metro dev server bug under attack \u2022 The Register<\/a><\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/03\/critical_react_native_metro_server\/\">https:\/\/www.theregister.com\/2026\/02\/03\/critical_react_native_metro_server\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-03 14:01:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.theregister.com\">www.theregister.com<\/a><\/p>\n<p>Baddies are exploiting a critical bug in React Native&#8217;s Metro development server to deliver malware to both Windows and Linux machines, and yet the in-the-wild attacks still haven&#8217;t received the &#8220;broad public acknowledgement&#8221; that they should, according to security researchers.<\/p>\n<p>The vulnerability affects the React Native Community command line tool, a very popular npm package with nearly 2.5 million weekly downloads. React Native is a development tool created by Meta that allows users to build mobile applications for iOS and Android using JavaScript and React.\u00a0<\/p>\n<p>The flaw, tracked as CVE-2025-11953, arises because the Metro development server started by the React Native Community command line tool exposes an endpoint vulnerable to OS command injection. This allows unauthenticated network attackers to send a POST request to the server and run malicious executables. Similarly, on Windows machines, miscreants can abuse the security hole to execute arbitrary shell commands with fully controlled arguments.<\/p>\n<p>JFrog researchers discovered the vulnerability and disclosed it in early November after Meta issued a fix. The research team assigned it a critical, 9.8 CVSS severity rating, meaning it&#8217;s almost as bad as bugs get.<\/p>\n<p>Bug hunters wasted no time publishing proof-of-concept exploits on GitHub, with one such POC being published the same day as the public bug disclosure.<\/p>\n<p>&#8220;VulnCheck observed exploitation attempts as early as December, well before public discussion framed CVE-2025-11953 as anything more than a theoretical risk,&#8221; VulnCheck CTO Jacob Baines told The Register. &#8220;This demonstrates how quickly attackers can act once scanning becomes viable, and why developer tooling &#8211; widespread, inconsistently monitored, and often not treated as production-grade &#8211; represents a particularly attractive early target.&#8221;<\/p>\n<p>In a Tuesday blog, Baines said the bug isn&#8217;t&#8230;<\/p>\n<p><a href=\"https:\/\/www.theregister.com\/2026\/02\/03\/critical_react_native_metro_server\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Critical React Native Metro dev server bug under attack \u2022 The Register https:\/\/www.theregister.com\/2026\/02\/03\/critical_react_native_metro_server\/ Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":209733,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/regmedia.co.uk\/2018\/07\/27\/scream_shutterstock.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,27],"class_list":["post-209732","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209732"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=209732"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209732\/revisions"}],"predecessor-version":[{"id":209734,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/209732\/revisions\/209734"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/209733"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=209732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=209732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=209732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}