CVE-2025-54782

HIGH EXPLOITED NUCLEI

nestjs/devtools-integration < 0.2.1 - Remote Code Execution via Unsafe JavaScript Sandbox

Title source: llm

Exploitation Summary

CVE-2025-54782 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including iSee857, adminlove520, DDestinys. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2026-22812, demonstrating remote command execution (RCE) in OpenCode. The script sends a crafted JSON payload to the target's session endpoint, then executes the 'id' command via the shell endpoint, verifying RCE by checking for 'uid=' and 'gid=' in the response.

Description

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.

Exploits (4)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/NestJSDevTools-CVE-2025-54782-RCE.py

View Code ZIP pw:eip

The repository contains a functional exploit PoC for CVE-2026-22812, demonstrating remote command execution (RCE) in OpenCode. The script sends a crafted JSON payload to the target's session endpoint, then executes the 'id' command via the shell endpoint, verifying RCE by checking for 'uid=' and 'gid=' in the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCode (version not specified)

No auth needed

Prerequisites: Network access to the target · Target must be running a vulnerable version of OpenCode

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github SCANNER 2 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2025/CVE-2025-54782

View Code ZIP pw:eip

The repository contains a scanner for CVE-2024-21762, which checks for the presence of the vulnerability in Fortinet SSL VPN interfaces. It includes Python scripts that send crafted HTTP requests to detect if a target is vulnerable.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Fortinet SSL VPN

No auth needed

Prerequisites: network access to the target · SSL/TLS connectivity

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 27, 2026 Full analysis →

github WORKING POC

by DDestinys · pythonremote

https://github.com/DDestinys/CVE-2025-54782

View Code ZIP pw:eip

This Python script exploits a remote code execution (RCE) vulnerability in a web application by sending a crafted POST request to the '/inspector/graph/interact' endpoint. The exploit leverages a JavaScript payload to execute arbitrary commands via Node.js's child_process module.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown web application (likely a Node.js-based application with an inspector/graph endpoint)

No auth needed

Prerequisites: Target URL with vulnerable endpoint · Network access to the target

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

github STUB

by vxaretra · typescriptclient-side

https://github.com/vxaretra/CVE-2025-54782

View Code ZIP pw:eip

The repository contains a basic NestJS starter project with no exploit code or technical details related to CVE-2025-54782. The POCWebpage/server.js file is truncated and incomplete, offering no functional exploit.

Classification

Stub 90%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: NestJS

No auth needed

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

NestJS DevTools Integration - Remote Code Execution

CRITICALVERIFIEDby nukunga

Shodan: devtools.nestjs.com

References (5)

Core 5

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7

Exploit x_refsource_misc

https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc

View Writeup ZIP pw:eip

Product x_refsource_misc

https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration

View Writeup ZIP pw:eip

Product x_refsource_misc

https://nodejs.org/api/vm.html

Exploit, Third Party Advisory x_refsource_misc

https://socket.dev/blog/nestjs-rce-vuln

Scores

CVSS v3 8.8

EPSS 0.4617

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2025-08-18

CWE

CWE-78 CWE-352 CWE-77

Status published

Products (2)

nestjs/devtools-integration < 0.2.1

nestjs/devtools-integration 0 - 0.2.1npm

Published Aug 02, 2025

Tracked Since Feb 18, 2026