NestJS Vulnerability Allows Code Execution on Developer Machines

A critical remote code execution vulnerability has been discovered in the popular NestJS framework that could allow attackers to execute arbitrary code on developer machines.

The vulnerability, tracked as CVE-2025-54782, affects the @nestjs/devtools-integration package and has been assigned the highest severity rating due to its potential for complete system compromise through simple web-based attacks.

Vulnerability Overview

The security flaw stems from a combination of unsafe code execution practices and inadequate cross-origin request protections in the @nestjs/devtools-integration package.

When developers enable this package during development, it exposes a local HTTP server with an API endpoint at /inspector/graph/interact that accepts and executes JavaScript code within an unsafe sandbox environment.

Security researcher JLLeitschuh uncovered the vulnerability on behalf of Socket, a software security company.

The core issue lies in the package’s implementation of a JavaScript sandbox that closely resembles the abandoned safe-eval library.

The sandbox uses Node.js’s vm.runInNewContext method, which the Node.js documentation explicitly states does not provide security mechanisms for executing untrusted code.

This implementation allows for numerous known sandbox escape techniques that can lead to arbitrary code execution.

Compounding this problem is the lack of proper cross-origin request validation. While the server sets Access-Control-Allow-Origin to a fixed domain, it fails to validate the request’s Origin or Content-Type headers.

Attackers can exploit this weakness by crafting POST requests with text/plain content type using HTML forms or simple XMLHttpRequest calls, effectively bypassing CORS preflight checks.

The attack scenario is particularly concerning due to its simplicity. An attacker can create a malicious website containing an HTML form or JavaScript code that automatically sends a crafted request to the local development server when a developer visits the page.

The exploit requires minimal user interaction—merely visiting the malicious webpage is sufficient to trigger code execution.

A proof-of-concept demonstration shows how attackers can execute commands such as launching applications on the developer’s machine, but the potential for more malicious activities, including data theft or system compromise, is significant.

The maintainers have addressed this vulnerability by replacing the unsafe sandbox with @nyariv/sandboxjs, adding proper origin and content-type validation, and implementing authentication for devtools connections.

Developers using the affected package should immediately upgrade to the patched version to mitigate this critical security risk.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!