Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular „@react-native-community/cli“ npm package.
Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary
https://thehackernews.com/2026/02/hackers-exploit-metro4shell-rce-flaw-in.html