56 matches found
CVE-2025-54782
CVE-2025-54782 affects the NestJS devtools-integration package (versions 0.2.0 and earlier). The vulnerability enables Remote Code Execution via a local development HTTP server endpoint, /inspector/graph/interact, which accepts JSON containing a code field and executes it in a Node.js vm.runInNew...
CVE-2025-54782 @nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...
CVE-2025-54782 @nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...
GHSA-85CG-CMQ5-QJM7 @nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
Summary A critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox safe-eval-like implementation. Due to improper...
PT-2025-31707
Name of the Vulnerable Software and Affected Versions: @nestjs/devtools-integration versions 0.2.0 and below Description: A critical Remote Code Execution RCE vulnerability exists in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with a...
PT-2025-31547 · Unknown · @Nyariv/Sandboxjs
Name of the Vulnerable Software and Affected Versions: @nyariv/sandboxjs versions through 0.8.23 Description: A prototype pollution issue exists in @nyariv/sandboxjs, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can lead to a...
CVE-2024-55652
PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the...
CVE-2023-29549
Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
CVE-2024-55652
PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the...
CVE-2024-55652 PwnDoc Server-Side Template Injection vulnerability - Sandbox Escape to RCE using custom filters
PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the...
CVE-2024-55652
CVE-2024-55652 affects PenDoc (also referenced as PwnDoc) where, prior to a particular commit, an attacker able to control a DOCX template could inject expressions that escape the JavaScript sandbox and execute arbitrary code on the host. The root cause is a template processing flaw that allowed ...
SUSE CVE-2023-29549
Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
CVE-2024-34347
CVE-2024-34347 affects the Hoppscotch CLI component suite. The vulnerability stems from using the Node.js vm-based sandbox in @hoppscotch/js-sandbox, where external references exposed to the sandbox can escape it and allow arbitrary code execution (RCE). The issue is fixed in Hoppscotch 0.8.0. Pu...
CVE-2024-34347 @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside th...
CVE-2024-34347 @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
@hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside th...
PT-2024-25804 · Node.Js +1 · Node.Js +2
Name of the Vulnerable Software and Affected Versions: @hoppscotch/cli versions prior to 0.8.0 Description: The @hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to version 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.j...
CVE-2023-29549
Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
CVE-2023-29549
Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
CVE-2023-29549
Under certain circumstances, a call to the bind function may have resulted in the incorrect realm. This may have created a vulnerability relating to JavaScript-implemented sandboxes such as SES. This vulnerability affects Firefox for Android 112, Firefox 112, and Focus for Android 112...
vm2 安全漏洞
vm2 is an advanced virtual machine/sandbox for Node.js by individual developer Patrik Simek in the Czech Republic. to run untrusted code using whitelisted Node built-in modules. A security vulnerability exists in vm2 version 3.9.15 and earlier. An attacker exploits this vulnerability to bypass...