A essential safety vulnerability has been found within the NestJS framework’s growth instruments that allows distant code execution (RCE) assaults towards JavaScript builders.
The flaw, recognized as CVE-2025-54782, impacts the @nestjs/devtools-integration package deal and permits malicious web sites to execute arbitrary code on builders’ native machines via refined sandbox escape strategies.
Key Takeaways1. Vital RCE flaw in NestJS devtools permits code execution through malicious web sites.2. Attributable to an unsafe JavaScript sandbox and poor CORS validation.3. Speedy repair required.
The vulnerability disclosed carries a essential severity ranking of 9.4 on the CVSS v4 scale, highlighting the rapid hazard it poses to the event neighborhood.
NestJS, described as “a progressive Node.js framework for constructing environment friendly and scalable server-side purposes,” has over 4,100 followers on GitHub and is broadly utilized in enterprise-grade purposes.
NestJS Sandbox RCE Vulnerability
The safety flaw stems from the @nestjs/devtools-integration package deal’s HTTP endpoint /inspector/graph/work together, which processes JSON enter containing a code subject and executes it inside a Node.js vm.runInNewContext sandbox.
The susceptible implementation intently resembles the deserted safe-eval library and fails to offer ample safety controls.
The problematic code features a flawed sandbox implementation:
The vulnerability is additional compounded by insufficient Cross-Origin Useful resource Sharing (CORS) protections.
Whereas the server units Entry-Management-Enable-Origin to https://devtools[.]nestjs.com, it fails to validate the request’s Origin or Content material-Sort headers correctly.
Attackers can exploit this weak point by crafting POST requests with textual content/plain content material sort, successfully bypassing CORS preflight checks.
Danger FactorsDetailsAffected Merchandise@nestjs/devtools-integration package deal (npm)≤0.2.0ImpactRemote Code Execution (RCE)Exploit Conditions– Developer visits malicious website- NestJS devtools integration enabled- Growth server working locallyCVSS v4 Score9.4
Safety researcher JLLeitschuh, engaged on behalf of Socket, demonstrated the exploit utilizing a easy HTML kind that may set off the vulnerability when a developer visits a malicious web site.
The proof-of-concept payload leverages JavaScript’s property enumeration to flee the sandbox and acquire entry to Node.js’s child_process module for arbitrary command execution.
The NestJS maintainers have addressed this essential difficulty in model 0.2.1 by implementing a safer sandboxing various utilizing @nyariv/sandboxjs, including correct origin validation, and introducing authentication mechanisms for devtools connections.
Builders utilizing affected variations (≤0.2.0) are strongly suggested to improve instantly to mitigate the danger of distant code execution assaults towards their growth environments.
Combine ANY.RUN TI Lookup along with your SIEM or SOAR To Analyses Superior Threats -> Attempt 50 Free Trial Searches
