2 matches found
Remote Code Execution (RCE)
@nestjs/devtools-integration is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper sandboxing and missing cross-origin protections due to unsafe execution of attacker-controlled input in a JavaScript sandbox via the /inspector/graph/interact endpoint...
GHSA-85CG-CMQ5-QJM7 @nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
Summary A critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox safe-eval-like implementation. Due to improper...