CVE-2025-54782
@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
Reserved 2025-07-29 | Published 2025-08-01 | Updated 2025-08-04 | Assigner GitHub_MCWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-352: Cross-Site Request Forgery (CSRF)
github.com/...s/nest/security/advisories/GHSA-85cg-cmq5-qjm7
github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc
github.com/...stjs-typescript-starter-w-devtools-integration
socket.dev/blog/nestjs-rce-vuln
Support options
