Critical Metro4Shell Vulnerability in React Native CLI Package Actively Exploited

Malicious actors are actively exploiting a critical vulnerability affecting the Metro Development Server in the npm package "@react-native-community/cli". Cybersecurity company VulnCheck observed the first exploitation of CVE-2025-11953, also known as Metro4Shell, on December 21, 2025. This flaw, with a CVSS score of 9.8, allows unauthenticated remote attackers to execute arbitrary code.