Skip to main content

CVE-2025-54782: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in nestjs nest

Critical
VulnerabilityCVE-2025-54782cvecve-2025-54782cwe-77cwe-78cwe-352
Published: Fri Aug 01 2025 (08/01/2025, 23:36:58 UTC)
Source: CVE Database V5
Vendor/Project: nestjs
Product: nest

Description

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.

AI-Powered Analysis

AILast updated: 08/02/2025, 00:03:13 UTC

Technical Analysis

CVE-2025-54782 is a critical Remote Code Execution (RCE) vulnerability affecting the @nestjs/devtools-integration package used in the NestJS framework, specifically in versions prior to 0.2.1. NestJS is a popular framework for building scalable server-side applications with Node.js. The vulnerability arises from an unsafe JavaScript sandbox implementation within a local development HTTP server exposed by the package. This server exposes an API endpoint at /inspector/graph/interact that accepts JSON input containing a 'code' field. The code provided is executed within a Node.js vm.runInNewContext sandbox, which is intended to isolate execution. However, due to improper sandboxing and lack of cross-origin protections, this sandbox can be bypassed by malicious websites visited by developers. This means that if a developer using a vulnerable version of NestJS visits a malicious website, the attacker can execute arbitrary code on the developer's local machine. The vulnerability is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), CWE-78 (Improper Neutralization of Special Elements used in an OS Command), and CWE-352 (Cross-Site Request Forgery), indicating issues with command injection and CSRF protections. The CVSS 4.0 score is 9.4 (critical), reflecting the high impact and ease of exploitation without authentication or user interaction. The vulnerability was fixed in version 0.2.1 of the package. No known exploits are reported in the wild yet, but the severity and nature of the flaw make it a significant risk during development phases.

Potential Impact

For European organizations, this vulnerability poses a significant risk primarily during the software development lifecycle. Developers using vulnerable versions of NestJS could have their local machines compromised simply by visiting malicious websites, leading to unauthorized code execution. This can result in theft of sensitive source code, credentials, or internal tools, potentially leading to broader organizational compromise if attackers pivot from developer machines to production environments. The lack of authentication and user interaction requirements increases the risk, especially in environments where developers access external web content. Additionally, compromised developer machines could be used to inject malicious code into applications before deployment, undermining software supply chain integrity. Given the widespread adoption of Node.js and NestJS in Europe’s tech sector, including startups and enterprises, the vulnerability could have cascading effects on software security and data confidentiality. Organizations with remote or hybrid development teams are particularly vulnerable due to increased exposure to untrusted networks and websites.

Mitigation Recommendations

1. Immediate upgrade to @nestjs/devtools-integration version 0.2.1 or later to apply the official patch. 2. Restrict usage of the devtools-integration package to trusted internal networks and avoid enabling it in production or public-facing environments. 3. Implement network-level controls such as firewall rules or local host restrictions to prevent external access to the development HTTP server endpoints. 4. Educate developers about the risks of visiting untrusted websites while running development servers with exposed endpoints. 5. Use browser security features or extensions that block cross-origin requests or sandbox escape attempts during development. 6. Conduct regular code reviews and security audits of development tools and dependencies to detect unsafe sandbox implementations. 7. Employ endpoint protection solutions on developer machines to detect anomalous code execution or suspicious network activity. 8. Consider isolating development environments using virtual machines or containers to limit the impact of potential compromises.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-07-29T16:50:28.391Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 688d5220ad5a09ad00cfe3f7

Added to database: 8/1/2025, 11:47:44 PM

Last enriched: 8/2/2025, 12:03:13 AM

Last updated: 8/2/2025, 10:04:35 AM

Views: 12

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats