CVE-2025-54782: @nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
(updated )
A critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine.
A full blog post about how this vulnerability was uncovered can be found on Socket’s blog.
References
- github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc
- github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration
- github.com/advisories/GHSA-85cg-cmq5-qjm7
- github.com/nestjs/nest
- github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
- jlleitschuh.org/nestjs-devtools-integration-rce-poc
- nodejs.org/api/vm.html
- nvd.nist.gov/vuln/detail/CVE-2025-54782
- socket.dev/blog/nestjs-rce-vuln
Code Behaviors & Features
Detect and mitigate CVE-2025-54782 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →