Cloud Vulnerability DB
A community-led vulnerabilities database
Introducing Wiz for Exposure Management: Unify, prioritize, and remediate exposures everywhere.
Vulnerability DatabaseCVE-2025-54782
CVE-2025-54782:
JavaScript vulnerability analysis and mitigation
Overview
A critical Remote Code Execution (RCE) vulnerability (CVE-2025-54782) was discovered in the @nestjs/devtools-integration package versions 0.2.0 and below. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox implementation. Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine (GitHub Advisory, Socket Blog).
Technical details
The vulnerability exists in the package's /inspector/graph/interact endpoint, which accepts JSON input containing a code field and executes it in a Node.js vm.runInNewContext sandbox. The sandbox implementation closely resembles the abandoned safe-eval library and uses the Node.js vm module, which is explicitly documented as not providing a security mechanism for executing untrusted code. The server sets Access-Control-Allow-Origin to a fixed domain but does not validate the request's Origin or Content-Type, allowing attackers to bypass CORS protections using HTML forms or XHR requests with text/plain content type (Socket Blog).
Impact
This vulnerability allows attackers to achieve Remote Code Execution (RCE) on developers' machines running NestJS projects with @nestjs/devtools-integration enabled. An attacker can exploit this by luring a developer to visit a malicious website, which then sends a crafted POST request to the local devtools HTTP server, resulting in arbitrary code execution on the developer's machine (GitHub Advisory).
Mitigation and workarounds
The vulnerability has been fixed in version 0.2.1 of @nestjs/devtools-integration. The fix includes: replacing the unsafe sandbox implementation with @nyariv/sandboxjs, adding origin and content-type validation for incoming requests, and introducing authentication for devtools connections. Users should upgrade to the patched version as soon as possible (GitHub Advisory).
Community reactions
The vulnerability was discovered by security researcher Jonathan Leitschuh on behalf of Socket. The NestJS maintainers responded quickly with a comprehensive fix implementing multiple layers of defense. The response has been praised for its quick turnaround and thorough remediation approach (Socket Blog).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management