0.0
NA
CVE-2025-54782
Nest Devtools Integration Remote Code Execution Vulnerability
Description

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.

INFO

Published Date :

Aug. 2, 2025, 12:15 a.m.

Last Modified :

Aug. 4, 2025, 4:15 p.m.

Remotely Exploitable :

No

Impact Score :

Exploitability Score :

Public PoC/Exploit Available at Github

CVE-2025-54782 has a 1 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

Affected Products

The following products are affected by CVE-2025-54782 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Nestjs nest

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

A demonstration of the RCE vulnerability in the @nestjs/devtools-integration

HTML JavaScript

Updated: 3 days, 15 hours ago
0 stars 0 fork 0 watcher
Born at : July 25, 2025, 7:50 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-54782 vulnerability anywhere in the article.

  • CybersecurityNews
NestJS Framework Vulnerability Let Attackers Execute Arbitrary Code in Developers Machine

A critical security vulnerability has been discovered in the NestJS framework’s development tools that enables remote code execution (RCE) attacks against JavaScript developers. The flaw, identified a ... Read more

Published Date: Aug 04, 2025 (23 hours, 32 minutes ago)
  • Daily CyberSecurity
Critical Flaws Found in Partner Software: Default Admin Passwords & XSS Allow RCE on Government Systems

A recent vulnerability note issued by CERT/CC disclosured three critical security flaws in Partner Software’s flagship platforms—Partner Software and Partner Web. These applications are widely used by ... Read more

Published Date: Aug 04, 2025 (1 day, 7 hours ago)
  • Daily CyberSecurity
Critical RCE Flaw (CVE-2025-54782) in NestJS DevTools Allows Remote Code Execution

A critical vulnerability has been uncovered in the @nestjs/devtools-integration package—a component of the popular NestJS framework for building scalable Node.js applications. This flaw, tracked as CV ... Read more

Published Date: Aug 04, 2025 (1 day, 7 hours ago)

The following table lists the changes that have been made to the CVE-2025-54782 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Aug. 04, 2025

    Action Type Old Value New Value
    Added Reference https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
  • New CVE Received by [email protected]

    Aug. 02, 2025

    Action Type Old Value New Value
    Added Description Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
    Added CVSS V4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-352
    Added CWE CWE-78
    Added CWE CWE-77
    Added Reference https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc
    Added Reference https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration
    Added Reference https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
    Added Reference https://nodejs.org/api/vm.html
    Added Reference https://socket.dev/blog/nestjs-rce-vuln
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-54782 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

NONE - Vulnerability Scoring System