CVE-2025-54782
@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers
Basic Information
- CVE State
- PUBLISHED
- Reserved Date
- July 29, 2025
- Published Date
- August 01, 2025
- Last Updated
- August 04, 2025
- Vendor
- nestjs
- Product
- nest
- Description
- Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
- Tags
- Exploitation
- poc
- Technical Impact
- total
- Exploited in the Wild
- Yes (2025-09-18 00:00:00 UTC) Source
nuclei_scanner
CVSS Scores
CVSS v4.0
9.4 - CRITICAL
Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SSVC Information
Exploit Status
References
Known Exploited Vulnerability Information
| Source | Added Date |
|---|---|
| The Shadowserver (via CIRCL) | 2025-09-18 00:00:00 UTC |
Scanner Integrations
| Scanner | URL | Date Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-54782.yaml | 2026-06-01 15:34:42 UTC |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nuclei