@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
A critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. A full blog post about how this vulnerability was uncovered can be …