CVE-2025-54782
Published: 02 August 2025
Summary
CVE-2025-54782 is a critical-severity Command Injection (CWE-77) vulnerability in Nestjs Devtools-Integration. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
Nest is a Node.js framework, and the vulnerability affects the @nestjs/devtools-integration package in versions 0.2.0 and below. When the package is enabled it starts a local HTTP server that exposes the /inspector/graph/interact endpoint; this endpoint accepts a JSON body containing a code field and executes the supplied JavaScript inside a Node.js vm.runInNewContext sandbox that lacks proper isolation. The implementation also omits cross-origin protections, allowing any origin to reach the endpoint. The issue is tracked as CVE-2025-54782 with a CVSS 4.0 score of 9.4 and is associated with CWE-77, CWE-78, and CWE-352.
An attacker who can lure a developer into visiting a malicious website while the vulnerable NestJS development server is running can submit arbitrary code through the exposed endpoint. Because the sandbox is ineffective and the request requires no authentication or same-origin check, the attacker obtains remote code execution on the developer’s workstation with the privileges of the Node process.
The vulnerability is fixed in @nestjs/devtools-integration 0.2.1. The NestJS security advisory GHSA-85cg-cmq5-qjm7 and accompanying patches disable or properly harden the inspector endpoint; developers are advised to update the package and avoid running the integration in untrusted environments.
Public proof-of-concept code and a demonstration repository have been published, and the EPSS score rose from a low baseline to a peak of 0.3911, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23413
Vulnerability details
Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an…
more
API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables drive-by compromise (T1189) via malicious websites exploiting CSRF to localhost and client-side exploitation for RCE (T1203) through sandbox escape in the local NestJS dev server.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the RCE by requiring timely patching of the vulnerable @nestjs/devtools-integration package to version 0.2.1 or later.
Prevents exposure of the vulnerable development endpoint by permitting only essential functionality and disabling unnecessary devtools integration.
Addresses improper sandboxing of JSON code input at /inspector/graph/interact by enforcing validation to reject malicious payloads.