CVE-2025-54782
@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
In short
A development tool for NestJS runs unsafe code on developers' machines when they visit malicious websites. An attacker can execute arbitrary commands on a developer's computer by tricking them into visiting a crafted webpage while the tool is active.
Technical detail
The @nestjs/devtools-integration package exposes a local HTTP endpoint (/inspector/graph/interact) that executes user-supplied JavaScript in a weak sandbox (vm.runInNewContext) without CSRF protection. A malicious website can send cross-origin requests to execute arbitrary Node.js code in the developer's local environment, achieving RCE via the lack of origin validation and insufficient isolation.
Summary generated and translated by AI from the official description.
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
Affected products
nestjs · nestpublic PoCs found — 1
githubgithub.com/DDestinys/CVE-2025-54782★ 0⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →