AI description
CVE-2025-54782 is a critical Remote Code Execution (RCE) vulnerability found in the @nestjs/devtools-integration package of the NestJS framework. This vulnerability affects NestJS projects with the devtools integration enabled. The vulnerability exists in versions 0.2.0 and below. The vulnerability stems from an unsafe JavaScript sandbox and missing cross-origin protections. A malicious website can exploit this by sending a crafted POST request to the local devtools HTTP server, allowing the execution of arbitrary code on a developer's machine. The vulnerable endpoint, /inspector/graph/interact, accepts JSON input containing code and executes it within a Node.js vm.runInNewContext sandbox.
- Description
- Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
- Source
- security-advisories@github.com
- NVD status
- Awaiting Analysis
CVSS 4.0
- Type
- Secondary
- Base score
- 9.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-77
- Hype score
- Not currently trending
🚨 CVE-2025-54782 - critical 🚨 NestJS DevTools Integration - Remote Code Execution > Nest is a framework for building scalable Node.js server-side applications. In versio... 👾 https://t.co/xKRIlLoeVA @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
20 Aug 2025
61 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
NestJS Devtools 远程代码执行漏洞(CVE-2025-54782) https://t.co/gzWBzjgFPe
@Zllggggg
14 Aug 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical NestJS vulnerability (CVE-2025-54782) allows remote code execution. Developers are strongly advised to update @nestjs/devtools-integration to v0.2.1 ASAP. This attack is already mitigated by our existing BLOCK rule: Code Injection (3fe69f2a728e40dfabd2cfb602a9ee96)
@CloudflareHelp
6 Aug 2025
6207 Impressions
6 Retweets
22 Likes
5 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en el Framework NestJS ❗CVE-2025-54782 ➡️Más info: https://t.co/ugXSmYJtzo https://t.co/jsc8N0hrwO
@CERTpy
5 Aug 2025
100 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
NestJSの開発者ツールにRCE脆弱性(CVE-2025-54782) #セキュリティ対策Lab #セキュリティ #Security https://t.co/wYqqux9FqG
@securityLab_jp
5 Aug 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical #NestJS vulnerability (CVE-2025-54782) allows RCE via malicious websites. Developers must update `@nestjs/devtools-integration` to v0.2.1 immediately. Link: https://t.co/yZONl0eDrP #Security #Vulnerability #Update #Developers #Malware #Threat #Patch #Software #Coding
@dailytechonx
4 Aug 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Warning: OS Command Injection vulnerability in #Nest Node.js framework. CVE-2025-54782 CVSS: 9.4. This vulnerability can lead to arbitrary code execution on a developer's machine. More info: https://t.co/RZIKO5DHEc #Patch #Patch #Patch
@CCBalert
4 Aug 2025
114 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#CVE-2025-54782 虽然是开发者工具包,但还是有很多开放在公网,ZoomEye 搜索语法:http.header="https://t.co/ljOLB8nO9F" && http.header="405 Method Not Allowed" https://t.co/YFxM3l2zjI 漏洞修复增加了多个校验,基本是杜绝了。https://
@_r00tuser
4 Aug 2025
2221 Impressions
6 Retweets
23 Likes
15 Bookmarks
0 Replies
0 Quotes
NestJSの開発支援パッケージ「@nestjs/devtools-integration」に深刻なリモートコード実行の脆弱性(CVE-2025-54782)が発見された。 攻撃者は開発者が悪意あるWebページを開くだけで任意のコードをローカルで実行可能に
@yousukezan
4 Aug 2025
1712 Impressions
0 Retweets
7 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-54782: Critical RCE in NestJS devtools-integration ≤0.2.0! Malicious sites can execute code on your local machine via /inspector/graph/interact. Update to 0.2.1 ASAP! https://t.co/Oq5mCMbLr7 #cybersecurity
@Andrewkek77
3 Aug 2025
56 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-54782 Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was disc… https://t.co/mMGpv1WOkx
@CVEnew
1 Aug 2025
456 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes