CVE-2025-54782 Scanner

CVE-2025-54782 Scanner - Remote Code Execution (RCE) vulnerability in NestJS DevTools Integration

Short Info


Level

Critical

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

9 days 12 hours

Scan only one

Domain, Subdomain, IPv4

Toolbox

-

NestJS DevTools Integration is a component designed to assist in the development and debugging of applications within the NestJS framework. It is primarily utilized by software developers and engineers working on scalable server-side applications using Node.js. The framework facilitates efficient web application construction and is renowned for promoting maintainability and modularity. Its integration with development tools aims to provide seamless support during the code-writing phase, accelerating workflow and enhancing productivity for developers.

The vulnerability pertains to a critical Remote Code Execution (RCE) flaw identified in NestJS DevTools Integration versions 0.2.0 and below. This security issue arises due to an unsafe JavaScript sandbox exposed through an API endpoint. The endpoint is susceptible to exploitation by malicious websites visited during development sessions, potentially executing arbitrary code on systems using the affected package. This flaw represents a significant security threat to developers utilizing the package under specified conditions.

The technical details of the flaw reveal that the /inspector/graph/interact endpoint in the NestJS development server, accepts JSON input containing a code field. The code is executed in a Node.js vm.runInNewContext sandbox, which lacks stringent sandboxing and cross-origin request controls, allowing for arbitrary code execution. This endpoint serves as the primary focal point for the vulnerability, highlighting the need for enhanced protections and codesandboxing techniques within affected versions.

Exploitation of this vulnerability could result in unauthorized code execution, compromising local development environments. Such breaches may lead to sensitive data exposure, unauthorized system access, and potential further compromises of application security. Developers working on critical infrastructure or sensitive data processing could experience severe repercussions if the vulnerability is left unpatched.

REFERENCES

Get started to protecting your digital assets