{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-54782","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-07-29T16:50:28.391Z","datePublished":"2025-08-01T23:36:58.421Z","dateUpdated":"2025-08-04T15:23:30.116Z"},"containers":{"cna":{"title":"@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers","problemTypes":[{"descriptions":[{"cweId":"CWE-77","lang":"en","description":"CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-78","lang":"en","description":"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-352","lang":"en","description":"CWE-352: Cross-Site Request Forgery (CSRF)","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"ADJACENT","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"HIGH","baseScore":9.4,"baseSeverity":"CRITICAL","vectorString":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","version":"4.0"}}],"references":[{"name":"https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7","tags":["x_refsource_CONFIRM"],"url":"https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7"},{"name":"https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc","tags":["x_refsource_MISC"],"url":"https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc"},{"name":"https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration","tags":["x_refsource_MISC"],"url":"https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration"},{"name":"https://nodejs.org/api/vm.html","tags":["x_refsource_MISC"],"url":"https://nodejs.org/api/vm.html"},{"name":"https://socket.dev/blog/nestjs-rce-vuln","tags":["x_refsource_MISC"],"url":"https://socket.dev/blog/nestjs-rce-vuln"}],"affected":[{"vendor":"nestjs","product":"nest","versions":[{"version":"< 0.2.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-08-01T23:36:58.421Z"},"descriptions":[{"lang":"en","value":"Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1."}],"source":{"advisory":"GHSA-85cg-cmq5-qjm7","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-08-04T15:23:27.339034Z","id":"CVE-2025-54782","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-08-04T15:23:30.116Z"}}]}}