- Description
- Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- devtools-integration
CVSS 4.0
- Type
- Secondary
- Base score
- 9.4
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 8.8
- Impact score
- 5.9
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Severity
- HIGH
- security-advisories@github.com
- CWE-77
- Hype score
- Not currently trending
#VulnerabilityReport #CVE202554782 Critical RCE Flaw (CVE-2025-54782) in NestJS DevTools Allows Remote Code Execution https://t.co/t4iPlaaCx0
@Komodosec
7 Sept 2025
47 Impressions
0 Retweets
0 Likes
1 Bookmark
0 Replies
0 Quotes
🚨 CVE-2025-54782 - critical 🚨 NestJS DevTools Integration - Remote Code Execution > Nest is a framework for building scalable Node.js server-side applications. In versio... 👾 https://t.co/xKRIlLoeVA @pdnuclei #NucleiTemplates #cve
@pdnuclei_bot
20 Aug 2025
61 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
NestJS Devtools 远程代码执行漏洞(CVE-2025-54782) https://t.co/gzWBzjgFPe
@Zllggggg
14 Aug 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical NestJS vulnerability (CVE-2025-54782) allows remote code execution. Developers are strongly advised to update @nestjs/devtools-integration to v0.2.1 ASAP. This attack is already mitigated by our existing BLOCK rule: Code Injection (3fe69f2a728e40dfabd2cfb602a9ee96)
@CloudflareHelp
6 Aug 2025
6207 Impressions
6 Retweets
22 Likes
5 Bookmarks
0 Replies
0 Quotes
⚠️Vulnerabilidad en el Framework NestJS ❗CVE-2025-54782 ➡️Más info: https://t.co/ugXSmYJtzo https://t.co/jsc8N0hrwO
@CERTpy
5 Aug 2025
100 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
NestJSの開発者ツールにRCE脆弱性(CVE-2025-54782) #セキュリティ対策Lab #セキュリティ #Security https://t.co/wYqqux9FqG
@securityLab_jp
5 Aug 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Critical #NestJS vulnerability (CVE-2025-54782) allows RCE via malicious websites. Developers must update `@nestjs/devtools-integration` to v0.2.1 immediately. Link: https://t.co/yZONl0eDrP #Security #Vulnerability #Update #Developers #Malware #Threat #Patch #Software #Coding
@dailytechonx
4 Aug 2025
8 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Warning: OS Command Injection vulnerability in #Nest Node.js framework. CVE-2025-54782 CVSS: 9.4. This vulnerability can lead to arbitrary code execution on a developer's machine. More info: https://t.co/RZIKO5DHEc #Patch #Patch #Patch
@CCBalert
4 Aug 2025
114 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
#CVE-2025-54782 虽然是开发者工具包,但还是有很多开放在公网,ZoomEye 搜索语法:http.header="https://t.co/ljOLB8nO9F" && http.header="405 Method Not Allowed" https://t.co/YFxM3l2zjI 漏洞修复增加了多个校验,基本是杜绝了。https://
@_r00tuser
4 Aug 2025
2221 Impressions
6 Retweets
23 Likes
15 Bookmarks
0 Replies
0 Quotes
NestJSの開発支援パッケージ「@nestjs/devtools-integration」に深刻なリモートコード実行の脆弱性(CVE-2025-54782)が発見された。 攻撃者は開発者が悪意あるWebページを開くだけで任意のコードをローカルで実行可能に
@yousukezan
4 Aug 2025
1712 Impressions
0 Retweets
7 Likes
2 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-54782: Critical RCE in NestJS devtools-integration ≤0.2.0! Malicious sites can execute code on your local machine via /inspector/graph/interact. Update to 0.2.1 ASAP! https://t.co/Oq5mCMbLr7 #cybersecurity
@Andrewkek77
3 Aug 2025
56 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-54782 Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was disc… https://t.co/mMGpv1WOkx
@CVEnew
1 Aug 2025
456 Impressions
0 Retweets
1 Like
0 Bookmarks
1 Reply
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nestjs:devtools-integration:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "3CB5DF69-E7C3-4DBF-920E-E4418A346FEF",
"versionEndExcluding": "0.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]