CVE-2025-54782: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in nestjs nest
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
AI Analysis
Technical Summary
CVE-2025-54782 is a critical Remote Code Execution (RCE) vulnerability affecting the @nestjs/devtools-integration package used in the NestJS framework, specifically in versions prior to 0.2.1. NestJS is a popular framework for building scalable server-side applications with Node.js. The vulnerability arises from an unsafe JavaScript sandbox implementation within a local development HTTP server exposed by the package. This server exposes an API endpoint at /inspector/graph/interact that accepts JSON input containing a 'code' field. The code provided is executed within a Node.js vm.runInNewContext sandbox, which is intended to isolate execution. However, due to improper sandboxing and lack of cross-origin protections, this sandbox can be bypassed by malicious websites visited by developers. This means that if a developer using a vulnerable version of NestJS visits a malicious website, the attacker can execute arbitrary code on the developer's local machine. The vulnerability is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), CWE-78 (Improper Neutralization of Special Elements used in an OS Command), and CWE-352 (Cross-Site Request Forgery), indicating issues with command injection and CSRF protections. The CVSS 4.0 score is 9.4 (critical), reflecting the high impact and ease of exploitation without authentication or user interaction. The vulnerability was fixed in version 0.2.1 of the package. No known exploits are reported in the wild yet, but the severity and nature of the flaw make it a significant risk during development phases.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily during the software development lifecycle. Developers using vulnerable versions of NestJS could have their local machines compromised simply by visiting malicious websites, leading to unauthorized code execution. This can result in theft of sensitive source code, credentials, or internal tools, potentially leading to broader organizational compromise if attackers pivot from developer machines to production environments. The lack of authentication and user interaction requirements increases the risk, especially in environments where developers access external web content. Additionally, compromised developer machines could be used to inject malicious code into applications before deployment, undermining software supply chain integrity. Given the widespread adoption of Node.js and NestJS in Europe’s tech sector, including startups and enterprises, the vulnerability could have cascading effects on software security and data confidentiality. Organizations with remote or hybrid development teams are particularly vulnerable due to increased exposure to untrusted networks and websites.
Mitigation Recommendations
1. Immediate upgrade to @nestjs/devtools-integration version 0.2.1 or later to apply the official patch. 2. Restrict usage of the devtools-integration package to trusted internal networks and avoid enabling it in production or public-facing environments. 3. Implement network-level controls such as firewall rules or local host restrictions to prevent external access to the development HTTP server endpoints. 4. Educate developers about the risks of visiting untrusted websites while running development servers with exposed endpoints. 5. Use browser security features or extensions that block cross-origin requests or sandbox escape attempts during development. 6. Conduct regular code reviews and security audits of development tools and dependencies to detect unsafe sandbox implementations. 7. Employ endpoint protection solutions on developer machines to detect anomalous code execution or suspicious network activity. 8. Consider isolating development environments using virtual machines or containers to limit the impact of potential compromises.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Ireland, Poland
CVE-2025-54782: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') in nestjs nest
Description
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
AI-Powered Analysis
Technical Analysis
CVE-2025-54782 is a critical Remote Code Execution (RCE) vulnerability affecting the @nestjs/devtools-integration package used in the NestJS framework, specifically in versions prior to 0.2.1. NestJS is a popular framework for building scalable server-side applications with Node.js. The vulnerability arises from an unsafe JavaScript sandbox implementation within a local development HTTP server exposed by the package. This server exposes an API endpoint at /inspector/graph/interact that accepts JSON input containing a 'code' field. The code provided is executed within a Node.js vm.runInNewContext sandbox, which is intended to isolate execution. However, due to improper sandboxing and lack of cross-origin protections, this sandbox can be bypassed by malicious websites visited by developers. This means that if a developer using a vulnerable version of NestJS visits a malicious website, the attacker can execute arbitrary code on the developer's local machine. The vulnerability is rooted in CWE-77 (Improper Neutralization of Special Elements used in a Command), CWE-78 (Improper Neutralization of Special Elements used in an OS Command), and CWE-352 (Cross-Site Request Forgery), indicating issues with command injection and CSRF protections. The CVSS 4.0 score is 9.4 (critical), reflecting the high impact and ease of exploitation without authentication or user interaction. The vulnerability was fixed in version 0.2.1 of the package. No known exploits are reported in the wild yet, but the severity and nature of the flaw make it a significant risk during development phases.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily during the software development lifecycle. Developers using vulnerable versions of NestJS could have their local machines compromised simply by visiting malicious websites, leading to unauthorized code execution. This can result in theft of sensitive source code, credentials, or internal tools, potentially leading to broader organizational compromise if attackers pivot from developer machines to production environments. The lack of authentication and user interaction requirements increases the risk, especially in environments where developers access external web content. Additionally, compromised developer machines could be used to inject malicious code into applications before deployment, undermining software supply chain integrity. Given the widespread adoption of Node.js and NestJS in Europe’s tech sector, including startups and enterprises, the vulnerability could have cascading effects on software security and data confidentiality. Organizations with remote or hybrid development teams are particularly vulnerable due to increased exposure to untrusted networks and websites.
Mitigation Recommendations
1. Immediate upgrade to @nestjs/devtools-integration version 0.2.1 or later to apply the official patch. 2. Restrict usage of the devtools-integration package to trusted internal networks and avoid enabling it in production or public-facing environments. 3. Implement network-level controls such as firewall rules or local host restrictions to prevent external access to the development HTTP server endpoints. 4. Educate developers about the risks of visiting untrusted websites while running development servers with exposed endpoints. 5. Use browser security features or extensions that block cross-origin requests or sandbox escape attempts during development. 6. Conduct regular code reviews and security audits of development tools and dependencies to detect unsafe sandbox implementations. 7. Employ endpoint protection solutions on developer machines to detect anomalous code execution or suspicious network activity. 8. Consider isolating development environments using virtual machines or containers to limit the impact of potential compromises.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-07-29T16:50:28.391Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 688d5220ad5a09ad00cfe3f7
Added to database: 8/1/2025, 11:47:44 PM
Last enriched: 8/2/2025, 12:03:13 AM
Last updated: 8/2/2025, 10:04:35 AM
Views: 12
Related Threats
CVE-2025-7710: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Brave Brave Conversion Engine (PRO)
CriticalCVE-2025-7500: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in oceanwp Ocean Social Sharing
MediumCVE-2025-8467: SQL Injection in code-projects Wazifa System
MediumForced to give your password? Here is the solution.
CriticalCVE-2025-8488: CWE-862 Missing Authorization in brainstormforce Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.