A significant security flaw has been identified in the NestJS framework’s development tools, specifically within the `@nestjs/devtools-integration` package. This vulnerability, designated as CVE-2025-54782, enables remote code execution (RCE) attacks, allowing malicious websites to execute arbitrary code on developers’ local machines. The flaw has been assigned a critical severity rating of 9.4 on the CVSS v4 scale, underscoring the immediate risk it poses to the development community.
Understanding the Vulnerability
NestJS is a progressive Node.js framework designed for building efficient and scalable server-side applications. It has gained substantial popularity, with over 4,100 followers on GitHub, and is widely utilized in enterprise-grade applications.
The core of this vulnerability lies in the `@nestjs/devtools-integration` package, which introduces an HTTP endpoint at `/inspector/graph/interact`. This endpoint processes JSON input containing a `code` field and executes it within a Node.js sandbox using the `vm.runInNewContext` method. However, the implementation of this sandbox is flawed, closely resembling the abandoned `safe-eval` library, and fails to provide adequate security controls.
The problematic code includes a flawed sandbox implementation:
“`javascript
handleGraphInteraction(req, res) {
if (req.method === ‘POST’) {
let body = ”;
req.on(‘data’, data => {
body += data;
});
req.on(‘end’, () => {
res.writeHead(200, { ‘Content-Type’: ‘application/plain’ });
const json = JSON.parse(body);
this.sandboxedCodeExecutor.execute(json.code, res);
});
}
}
“`
This implementation allows for the execution of arbitrary code, posing a significant security risk.
Exploitation Mechanism
The vulnerability is further exacerbated by inadequate Cross-Origin Resource Sharing (CORS) protections. While the server sets `Access-Control-Allow-Origin` to `https://devtools.nestjs.com`, it fails to properly validate the request’s `Origin` or `Content-Type` headers. Attackers can exploit this weakness by crafting POST requests with a `text/plain` content type, effectively bypassing CORS preflight checks.
Security researcher Jonathan Leitschuh, working on behalf of Socket, demonstrated the exploit using a simple HTML form that can trigger the vulnerability when a developer visits a malicious website. The proof-of-concept payload leverages JavaScript’s property enumeration to escape the sandbox and gain access to Node.js’s `child_process` module for arbitrary command execution.
Risk Factors
– Affected Products: `@nestjs/devtools-integration` package (npm) versions ≤0.2.0
– Impact: Remote Code Execution (RCE)
– Exploit Prerequisites:
– Developer visits a malicious website
– NestJS devtools integration enabled
– Development server running locally
– CVSS v4 Score: 9.4
Mitigation and Recommendations
The NestJS maintainers have addressed this critical issue in version 0.2.1 by implementing a safer sandboxing alternative using `@nyariv/sandboxjs`, adding proper origin validation, and introducing authentication mechanisms for devtools connections. Developers using affected versions (≤0.2.0) are strongly advised to upgrade immediately to mitigate the risk of remote code execution attacks against their development environments.
Conclusion
This vulnerability highlights the importance of secure coding practices and the need for rigorous validation mechanisms within development tools. Developers are urged to stay vigilant, keep their dependencies updated, and implement robust security measures to protect their development environments from potential threats.
