Cyber Posture

CVE-2025-54782

HighPublic PoCRCE

Published: 02 August 2025

Published
02 August 2025
Modified
09 October 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.3248 96.9th percentile
Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54782 is a high-severity Command Injection (CWE-77) vulnerability in Nestjs Devtools-Integration. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 3.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the RCE by requiring timely patching of the vulnerable @nestjs/devtools-integration package to version 0.2.1 or later.

CM-7 Least Functionality good match
prevent

Prevents exposure of the vulnerable development endpoint by permitting only essential functionality and disabling unnecessary devtools integration.

SI-10 Information Input Validation partial match
prevent

Addresses improper sandboxing of JSON code input at /inspector/graph/interact by enforcing validation to reject malicious payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

The vulnerability enables drive-by compromise (T1189) via malicious websites exploiting CSRF to localhost and client-side exploitation for RCE (T1203) through sandbox escape in the local NestJS dev server.

NVD Description

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an…

more

API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.

Deeper analysisAI

CVE-2025-54782 is a critical remote code execution (RCE) vulnerability affecting the @nestjs/devtools-integration package, versions 0.2.0 and below, which is used with the Nest framework for building scalable Node.js server-side applications. When enabled, the package exposes a local development HTTP server with an API endpoint at /inspector/graph/interact that accepts JSON input containing a code field. This code is executed in a Node.js vm.runInNewContext sandbox, but due to improper sandboxing and missing cross-origin protections, the implementation is unsafe, akin to a flawed safe-eval mechanism. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection), CWE-78 (OS Command Injection), and CWE-352 (Cross-Site Request Forgery).

The attack requires a developer to visit a malicious website while their local NestJS development server has the vulnerable @nestjs/devtools-integration package enabled. Any attacker controlling a malicious website can exploit the lack of cross-origin protections to send a crafted JSON payload to the /inspector/graph/interact endpoint on the victim's local server, causing arbitrary JavaScript code to execute in the sandboxed context on the developer's machine. Successful exploitation grants the attacker full RCE capabilities locally, potentially leading to data theft, malware deployment, or further system compromise, though it relies on user interaction (UI:R).

The NestJS security advisory (GHSA-85cg-cmq5-qjm7) and related disclosures confirm the issue is fixed in version 0.2.1 of @nestjs/devtools-integration. Security practitioners should immediately upgrade to the patched version, disable the package in production environments, and avoid enabling it during development unless necessary. Proof-of-concept exploits are publicly available, including at https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc and https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration, highlighting the need for prompt remediation.

Details

CWE(s)
CWE-77CWE-78CWE-352

Affected Products

nestjs
devtools-integration
≤ 0.2.1

CVEs Like This One

CVE-2026-2293Same vendor: Nestjs
CVE-2026-33011Same vendor: Nestjs
CVE-2026-40879Same vendor: Nestjs
CVE-2026-3102Shared CWE-77, CWE-78
CVE-2025-22343Shared CWE-352
CVE-2025-2717Shared CWE-77, CWE-78
CVE-2026-2175Shared CWE-77, CWE-78
CVE-2026-2210Shared CWE-77, CWE-78
CVE-2025-1676Shared CWE-77, CWE-78
CVE-2026-5978Shared CWE-77, CWE-78

References