CVE-2025-54782— nest 命令注入漏洞
公开利用映射 1
Nuclei · 1 CVE-2025-54782.yaml [template]
获取后续新漏洞提醒登录后订阅
一、 漏洞 CVE-2025-54782 基础信息
漏洞信息
对漏洞内容有疑问?看看神龙的深度分析是否有帮助!
查看神龙十问 ↗ 尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
来源: 美国国家漏洞数据库 NVD
Vulnerability Description
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
来源: 美国国家漏洞数据库 NVD
CVSS Information
N/A
来源: 美国国家漏洞数据库 NVD
Vulnerability Type
在命令中使用的特殊元素转义处理不恰当(命令注入)
来源: 美国国家漏洞数据库 NVD
Vulnerability Title
nest 命令注入漏洞
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Description
nest是nestjs开源的一个 Node.js 框架,用于使用 TypeScript/JavaScript 构建高效、可扩展和企业级的服务器端应用程序。 nest 0.2.0及之前版本存在命令注入漏洞,该漏洞源于@nestjs/devtools-integration包存在不安全JavaScript沙箱,可能导致远程代码执行。
来源: 中国国家信息安全漏洞库 CNNVD
CVSS Information
N/A
来源: 中国国家信息安全漏洞库 CNNVD
Vulnerability Type
N/A
来源: 中国国家信息安全漏洞库 CNNVD
受影响产品
二、漏洞 CVE-2025-54782 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-54782.yaml | POC详情 |
| 2 | NestJS DevTools Unauthenticated RCE | https://github.com/nitrixog/CVE-2025-54782 | POC详情 |
| 3 | PoC for CVE-2025-54782 | https://github.com/vxaretra/CVE-2025-54782 | POC详情 |
| 4 | CVE-2025-54782 | https://github.com/DDestinys/CVE-2025-54782 | POC详情 |
AI 生成 POC高级
未找到公开 POC。
登录以生成 AI POC三、漏洞 CVE-2025-54782 的情报信息
请登录查看更多情报信息。
CVE-2025-54782 安全博客文章 (1)
IV. Related Vulnerabilities
V. Comments for CVE-2025-54782
暂无评论