A critical security vulnerability has been discovered in the NestJS framework\u2019s development tools that enables remote code execution (RCE) attacks against JavaScript developers.\u00a0<\/p>\n
The flaw, identified as CVE-2025-54782, affects the @nestjs\/devtools-integration package and allows malicious websites to execute arbitrary code on developers\u2019 local machines through sophisticated sandbox escape techniques.<\/p>\n
Key Takeaways<\/strong>
1. Critical RCE flaw in NestJS devtools allows code execution via malicious websites.
2. Caused by an unsafe JavaScript sandbox and poor CORS validation.
3. Immediate fix required.<\/pre>\nThe vulnerability disclosed carries a critical severity rating of 9.4 on the CVSS v4 scale, highlighting the immediate danger it poses to the development community.\u00a0<\/p>\n
NestJS, described as \u201ca progressive Node.js framework for building efficient and scalable server-side applications,\u201d has over 4,100 followers on GitHub and is widely used in enterprise-grade applications.<\/p>\n
NestJS Sandbox RCE Vulnerability<\/strong><\/h2>\n
The security flaw stems from the @nestjs\/devtools-integration package\u2019s HTTP endpoint \/inspector\/graph\/interact, which processes JSON input containing a code field and executes it within a Node.js vm.runInNewContext sandbox.\u00a0<\/p>\n
The vulnerable implementation closely resembles the abandoned safe-eval library and fails to provide adequate security controls.<\/p>\n
The problematic code includes a flawed sandbox implementation:<\/p>\n
\n<\/figure>\n<\/div>\n
The vulnerability is further compounded by inadequate Cross-Origin Resource Sharing (CORS) protections.\u00a0<\/p>\n
While the server sets Access-Control-Allow-Origin to https:\/\/devtools[.]nestjs.com, it fails to validate the request\u2019s Origin or Content-Type headers properly.\u00a0<\/p>\n
Attackers can exploit this weakness by crafting POST requests with text\/plain content type, effectively bypassing CORS preflight checks.<\/p>\n
\n