CVE-2025-54782 Scanner
CVE-2025-54782 Scanner - Remote Code Execution (RCE) vulnerability in NestJS DevTools Integration
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
9 days 12 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
-
NestJS DevTools Integration is a component designed to assist in the development and debugging of applications within the NestJS framework. It is primarily utilized by software developers and engineers working on scalable server-side applications using Node.js. The framework facilitates efficient web application construction and is renowned for promoting maintainability and modularity. Its integration with development tools aims to provide seamless support during the code-writing phase, accelerating workflow and enhancing productivity for developers.
The vulnerability pertains to a critical Remote Code Execution (RCE) flaw identified in NestJS DevTools Integration versions 0.2.0 and below. This security issue arises due to an unsafe JavaScript sandbox exposed through an API endpoint. The endpoint is susceptible to exploitation by malicious websites visited during development sessions, potentially executing arbitrary code on systems using the affected package. This flaw represents a significant security threat to developers utilizing the package under specified conditions.
The technical details of the flaw reveal that the /inspector/graph/interact endpoint in the NestJS development server, accepts JSON input containing a code field. The code is executed in a Node.js vm.runInNewContext sandbox, which lacks stringent sandboxing and cross-origin request controls, allowing for arbitrary code execution. This endpoint serves as the primary focal point for the vulnerability, highlighting the need for enhanced protections and codesandboxing techniques within affected versions.
Exploitation of this vulnerability could result in unauthorized code execution, compromising local development environments. Such breaches may lead to sensitive data exposure, unauthorized system access, and potential further compromises of application security. Developers working on critical infrastructure or sensitive data processing could experience severe repercussions if the vulnerability is left unpatched.
REFERENCES