NestJS 漏洞列表

Nest是一个用于构建可扩展的Node.js服务器端应用程序的框架。在0.2.0及以下版本中，在@nestjs/devtools集成包中发现了一个关键的远程代码执行（RCE）漏洞。启用后，该包将公开本地开发HTTP服务器，该服务器具有使用不安全JavaScript沙箱的API端点（类似安全价值的实现）。由于不正确的沙盒和缺少跨源保护，开发人员访问的任何恶意网站都可以在其本地计算机上执行任意代码。该包将HTTP端点添加到本地运行的NestJS开发服务器。其中一个端点/iventor/graph/interact接受包含代码字段的JSON输入，并在Node.jsvm.runInNewContext沙箱中执行提供的代码。

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.