New NestJS Flaw Lets Attackers Run Arbitrary Code on Developers’ Systems

A critical security vulnerability has been identified in the popular NestJS framework’s developer tools integration package, potentially exposing thousands of developers to remote code execution attacks.

The vulnerability, designated as GHSA-85cg-cmq5-qjm7, was published by NestJS creator Kamil Mysliwiec three days ago and affects all versions of @nestjs/devtools-integration up to 0.2.0.

This discovery represents one of the most serious security threats to the Node.js development ecosystem in recent months, particularly given NestJS’s widespread adoption for building enterprise-grade server-side applications.

The vulnerability combines a Cross-Site Request Forgery (CSRF) attack with a sandbox escape technique to achieve arbitrary code execution on developers’ local machines.

When the @nestjs/devtools-integration package is enabled during development, it exposes a local HTTP server that malicious websites can exploit.

The attack requires minimal user interaction – simply visiting a compromised webpage while running a NestJS development server is sufficient for exploitation.

Security researchers at Socket discovered this vulnerability and have published a comprehensive analysis demonstrating the severity of the threat to the JavaScript development community.

Vulnerability Details and Attack Vector

The core vulnerability resides in the /inspector/graph/interact endpoint, which accepts JSON input containing executable code and processes it through an unsafe JavaScript sandbox implementation.

The problematic code utilizes Node.js’s vm.runInNewContext() method, which the official Node.js documentation explicitly warns against using for security purposes.

The vulnerable request handler demonstrates the flawed approach:

javascripthandleGraphInteraction(req, res) {
  if (req.method === 'POST') {
    let body = '';
    req.on('data', data => { body += data; });
    req.on('end', async () => {
      res.writeHead(200, { 'Content-Type': 'application/plain' });
      const json = JSON.parse(body);
      await this.sandboxedCodeExecutor.execute(json.code, res);
    });
  }
}

The sandbox implementation closely resembles the abandoned safe-eval library and can be trivially escaped using known techniques.

Additionally, the server’s CORS configuration sets Access-Control-Allow-Origin to a fixed domain but fails to validate the request’s origin or content type, enabling attackers to bypass security restrictions through simple HTML forms or XMLHttpRequest calls with text/plain content type.

Immediate Action Required for Developers

Developers using NestJS with the devtools integration must immediately upgrade to version 0.2.1 or later to mitigate this critical vulnerability.

The maintainers have addressed the security flaws by replacing the unsafe sandbox with @nyariv/sandboxjs, implementing proper origin and content-type validation, and introducing authentication mechanisms for devtools connections.

Given Kamil Mysliwiec’s recent activity, showing 95 commits to the main NestJS repository in July 2025 alone, the development team has demonstrated its commitment to rapidly addressing security concerns.

The attack complexity is considered low, requiring no special privileges and minimal user interaction, making it particularly dangerous for development environments.

Organizations should conduct immediate security audits of their development infrastructure and ensure all team members update their dependencies promptly.

This incident underscores the importance of secure development practices and the ongoing security challenges facing the rapidly evolving JavaScript ecosystem.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates

The post New NestJS Flaw Lets Attackers Run Arbitrary Code on Developers’ Systems appeared first on Cyber Security News.