A critical vulnerability in React Native's Metro development server is being actively exploited, yet exploit prediction systems are badly underestimating the risk.
CVE-2025-11953 allows unauthenticated attackers to execute arbitrary commands via Metro's /open-url and /open-stack-frame endpoints. The flaw affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2, a package downloaded 2.5 million times weekly.
JFrog researchers discovered the bug and disclosed it in November after Meta patched it. The issue: Metro defaults to binding on 0.0.0.0:8081, exposing the dev server to any device on the network. Unsanitized POST parameters get passed directly to child_process.spawn, enabling command injection.
VulnCheck observed exploitation attempts as early as December, well before the security community treated it as more than theoretical risk. "This demonstrates how quickly attackers can act once scanning becomes viable," VulnCheck CTO Jacob Baines told The Register.
The disconnect is significant. Despite a 9.8 CVSS score (critical, remote, no privileges needed), the Exploit Prediction Scoring System assigns it a 0.00405 probability - essentially dismissing active exploitation that's been documented for weeks.
Proof-of-concept exploits hit GitHub the same day as the disclosure. Internet-wide scans show exposed Metro servers are discoverable and exploitable. Yet more than a month after initial attacks, the vulnerability lacks "broad public acknowledgement," according to researchers.
The affected package underpins thousands of React Native mobile development environments globally. Developers running npm start or npx react-native start are vulnerable unless they've updated to version 20.0.0 or explicitly bound Metro to localhost.
This matters for enterprise teams: development tooling often sits outside production monitoring, runs on shared networks, and gets treated as low-risk. The gap between "dev server" and "production system" matters less when the dev server can execute arbitrary commands and access source code or credentials.
Immediate mitigation: update @react-native-community/cli-server-api to 20.0.0, bind Metro explicitly to localhost, and isolate dev environments from untrusted networks. The patch is available. The exploitation is confirmed. The scoring systems will catch up eventually.