CVE-2025-54782

HIGH EXPLOITED NUCLEI

Nestjs Devtools-integration < 0.2.1 - Command Injection

Title source: rule

Description

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.

Exploits (5)

github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/NestJSDevTools-CVE-2025-54782-RCE.py
github SCANNER 2 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-54782
github WORKING POC
by DDestinys · pythonremote
https://github.com/DDestinys/CVE-2025-54782
github STUB
by vxaretra · typescriptclient-side
https://github.com/vxaretra/CVE-2025-54782

Nuclei Templates (1)

NestJS DevTools Integration - Remote Code Execution
CRITICALVERIFIEDby nukunga
Shodan: devtools.nestjs.com

References (5)

Scores

CVSS v3 8.8
EPSS 0.2436
EPSS Percentile 96.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2025-08-18

Classification

CWE
CWE-78 CWE-352 CWE-77
Status published

Affected Products (2)

nestjs/devtools-integration < 0.2.1
nestjs/devtools-integration < 0.2.1npm

Timeline

Published Aug 02, 2025
Tracked Since Feb 18, 2026