The flaw, identified as CVE-2025-54782, affects the @nestjs/devtools-integration package and allows malicious websites to execute arbitrary code on developers’ local machines through sophisticated sandbox escape techniques.
Key Takeaways
1. Critical RCE flaw in NestJS devtools allows code execution via malicious websites.
2. Caused by an unsafe JavaScript sandbox and poor CORS validation.
3. Immediate fix required.
The vulnerability disclosed carries a critical severity rating of 9.4 on the CVSS v4 scale, highlighting the immediate danger it poses to the development community.
NestJS, described as “a progressive Node.js framework for building efficient and scalable server-side applications,” has over 4,100 followers on GitHub and is widely used in enterprise-grade applications.
The security flaw stems from the @nestjs/devtools-integration package’s HTTP endpoint /inspector/graph/interact, which processes JSON input containing a code field and executes it within a Node.js vm.runInNewContext sandbox.
The vulnerable implementation closely resembles the abandoned safe-eval library and fails to provide adequate security controls.
The problematic code includes a flawed sandbox implementation:
The vulnerability is further compounded by inadequate Cross-Origin Resource Sharing (CORS) protections.
While the server sets Access-Control-Allow-Origin to https://devtools[.]nestjs.com, it fails to validate the request’s Origin or Content-Type headers properly.
Attackers can exploit this weakness by crafting POST requests with text/plain content type, effectively bypassing CORS preflight checks.
| Risk Factors | Details |
| Affected Products | @nestjs/devtools-integration package (npm)≤0.2.0 |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | – Developer visits malicious website- NestJS devtools integration enabled- Development server running locally |
| CVSS v4 Score | 9.4 |
Security researcher JLLeitschuh, working on behalf of Socket, demonstrated the exploit using a simple HTML form that can trigger the vulnerability when a developer visits a malicious website.
The proof-of-concept payload leverages JavaScript’s property enumeration to escape the sandbox and gain access to Node.js’s child_process module for arbitrary command execution.
The NestJS maintainers have addressed this critical issue in version 0.2.1 by implementing a safer sandboxing alternative using @nyariv/sandboxjs, adding proper origin validation, and introducing authentication mechanisms for devtools connections.
Developers using affected versions (≤0.2.0) are strongly advised to upgrade immediately to mitigate the risk of remote code execution attacks against their development environments.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
The post NestJS Framework Vulnerability Let Attackers Execute Arbitrary Code in Developers Machine appeared first on Cyber Security News.
We noted this last month, but we really mean it in May: Things are starting…
One of key the reasons developer IO Interactive is an inspired choice for adapting Ian…
The Exim development team has released version 4.99.2 to address four newly discovered security vulnerabilities…
For a long time, Mortal Kombat’s 1995 live-action movie set the bar as far as…
This website uses cookies.