Hackers exploit critical React Native Metro bug to breach dev systems

Hackers are exploiting a critical vulnerability in the React Native Metro server, identified as CVE-2025-11953, to breach development systems and deliver malicious payloads for Windows and Linux. The flaw allows unauthenticated attackers to execute arbitrary commands on Windows and run arbitrary executables on Linux and macOS. Discovered by JFrog and disclosed in early November, the vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2, and was fixed in version 20.0.0 and later. Despite active exploitation being observed, the vulnerability still carries a low score in the Exploit Prediction Scoring System (EPSS). VulnCheck's report includes indicators of compromise (IoCs) for the attacker network infrastructure as well as Windows and Linux payloads.