Threat actors have been observed exploiting a critical security flaw impacting the Metro Development Server in the popular « @react-native-community/cli » npm package.
Cybersecurity company VulnCheck said it first observed exploitation of CVE-2025-11953 (aka Metro4Shell) on December 21, 2025. With a CVSS score of 9.8, the vulnerability allows remote unauthenticated attackers to execute arbitrary
