Critical RCE Flaw (CVE-2025-54782) in NestJS DevTools Allows Remote Code Execution

A critical vulnerability has been uncovered in the @nestjs/devtools-integration package—a component of the popular NestJS framework for building scalable Node.js applications. This flaw, tracked as CVE-2025-54782 and carrying a CVSS v4 score of 9.4, could allow arbitrary code execution on a developer’s local machine, simply by visiting a malicious website.

“Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine,” the Nest advisory warns.

The vulnerability lies in how the devtools integration sets up a local development HTTP server with exposed endpoints. One particularly dangerous endpoint—/inspector/graph/interact—accepts JSON input containing code, which is then executed using an unsafe sandbox implemented via vm.runInNewContext.

“The sandbox implementation closely resembles the abandoned safe-eval library… Numerous known sandbox escape techniques allow arbitrary code execution,” the advisory states.

In addition to the weak sandbox, the server was configured with inadequate CORS protections:

• It sets Access-Control-Allow-Origin to a fixed domain without validating the request’s actual origin.
• It fails to restrict Content-Type, allowing attackers to send text/plain POST requests using HTML forms or basic JavaScript.

This combination allows a malicious site to bypass browser security and exploit the sandbox, executing code directly on the developer’s machine.

Here’s how an attack might unfold:

1. A developer starts a NestJS project with devtools integration enabled.
2. They visit a compromised or malicious website.
3. The site sends a crafted POST request to http://localhost:<port>/inspector/graph/interact.
4. The server, trusting the request, executes arbitrary JavaScript in the unsafe sandbox.
5. The attacker gains remote access to the developer’s system.

“Because the sandbox can be trivially escaped, and the endpoint accepts cross-origin POST requests without proper checks, this vulnerability allows arbitrary code execution,” the advisory warns.

The maintainers have responded swiftly by:

• Replacing the unsafe sandbox with @nyariv/sandboxjs.
• Adding strict origin and content-type validation.
• Introducing authentication for the devtools connection.

Related Posts:

• Chrome Update Fixes High-Severity Security Flaw (CVE-2025-4096)
• Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
• Zero-Day Attack Alert: Corrupted Files Weaponized in New Attacks

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy