CVE-2025-54782 is a critical Remote Code Execution (RCE) vulnerability affecting the @nestjs/devtools-integration package in NestJS framework versions 0.2.0 and below. NestJS is a popular framework for building scalable server-side applications in Node.js. This vulnerability arises from the exposure of a local development HTTP server endpoint (/inspector/graph/interact) that accepts JSON input containing a 'code' field. The code is executed within a JavaScript sandbox implemented using Node.js's vm.runInNewContext method. However, the sandbox is improperly implemented, lacking sufficient isolation and cross-origin protections. This improper neutralization of special elements (CWE-77) and unsafe sandboxing allows any malicious website visited by a developer to execute arbitrary code on the developer's local machine. The vulnerability does not require authentication or user interaction beyond visiting a malicious website, making it highly exploitable in development environments. The issue is fixed in version 0.2.1 of the package. The CVSS 4.0 score is 9.4 (critical), reflecting the high impact on confidentiality, integrity, and availability, as well as the ease of exploitation and the broad scope of affected systems during development.

For European organizations, this vulnerability poses a significant risk primarily in development environments where NestJS versions prior to 0.2.1 are used with the @nestjs/devtools-integration package enabled. An attacker can leverage this flaw by tricking developers into visiting malicious websites, leading to arbitrary code execution on local machines. This can result in theft of sensitive source code, insertion of backdoors or malicious code into applications before deployment, and potential lateral movement within internal networks. The compromise of developer machines can undermine the software supply chain, leading to widespread impact beyond the initial host. Given the criticality, organizations with active NestJS development teams are at risk of intellectual property loss, reputational damage, and operational disruption. Since this vulnerability exploits local development setups, it may not directly impact production servers but can indirectly lead to severe downstream consequences.

1. Immediate upgrade of @nestjs/devtools-integration package to version 0.2.1 or later to apply the patch that fixes the sandboxing and cross-origin issues. 2. Disable or restrict access to the devtools integration endpoints in development environments, especially when working on untrusted networks. 3. Implement network segmentation and firewall rules to limit exposure of local development servers to only trusted hosts. 4. Educate developers about the risks of visiting untrusted websites during development and encourage use of isolated environments or virtual machines for development work. 5. Employ endpoint protection solutions that can detect and block suspicious local code execution activities. 6. Review and monitor developer machines for signs of compromise, including unexpected processes or network connections. 7. Integrate secure coding practices and sandboxing verification in the development lifecycle to prevent similar issues.