CVE-2025-54782
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-02

Last updated on: 2025-10-09

Assigner: GitHub, Inc.

Description
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-02
Last Modified
2025-10-09
Generated
2026-05-07
AI Q&A
2025-08-02
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54782
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nestjs devtools-integration to 0.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a critical Remote Code Execution (RCE) issue in the @nestjs/devtools-integration package of the Nest framework (versions 0.2.0 and below). The package exposes a local development HTTP server with an API endpoint that executes code inside an unsafe JavaScript sandbox. Due to improper sandboxing and missing cross-origin protections, a malicious website visited by a developer can execute arbitrary code on their local machine through this endpoint. The vulnerability is fixed in version 0.2.1.


How can this vulnerability impact me? :

If you use the vulnerable versions of the @nestjs/devtools-integration package, an attacker can execute arbitrary code on your local machine by tricking you into visiting a malicious website. This can lead to full compromise of your development environment, data loss, or unauthorized access to sensitive information.


What immediate steps should I take to mitigate this vulnerability?

Upgrade the @nestjs/devtools-integration package to version 0.2.1 or later, as this version contains the fix for the critical Remote Code Execution vulnerability. Additionally, avoid enabling the vulnerable package in production or on systems exposed to untrusted networks or websites.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart