Remote Code Execution Vulnerability in NestJS Framework and @nestjs/devtools-integration Package
CVE-2025-54782

9.4CRITICAL

Key Information:

Vendor

Nestjs

Status
Nest
Vendor
CVE Published:
2 August 2025

What is CVE-2025-54782?

CVE-2025-54782 is a critical vulnerability affecting the NestJS framework and its associated package, @nestjs/devtools-integration. NestJS is a popular framework for creating scalable server-side applications in Node.js, enabling developers to build efficient and maintainable software solutions. This vulnerability pertains specifically to versions 0.2.0 and below of the @nestjs/devtools-integration package, which, when enabled, opens a local HTTP server with an API endpoint that allows for code execution. The vulnerability arises from the package’s use of an unsafe JavaScript sandbox implementation, which lacks adequate cross-origin protections and proper sandboxing controls. This flaw enables a malicious website to leverage the exposed server to execute arbitrary code on the developer's local machine, posing significant risks to the security of their development environment and potentially leading to unforeseen consequences in production systems.

Potential Impact of CVE-2025-54782

  1. Remote Code Execution Risks: The primary impact of CVE-2025-54782 is the potential for attackers to execute arbitrary code on local development environments. By visiting a compromised site, developers could inadvertently run malicious scripts, leading to a full compromise of their system.

  2. Data Breach Consequences: Unauthorized code execution can facilitate access to sensitive data stored on a developer's machine or within connected systems. This breach of confidentiality can lead to data leaks, intellectual property theft, and loss of customer trust.

  3. Cascade of Vulnerabilities: Exploiting this vulnerability can create a domino effect, as compromised development environments may serve as a launchpad for broader attacks on production systems. Attackers could leverage access gained through the vulnerability to infiltrate organizational networks, execute further exploits, or deploy malware.

Affected Version(s)

nest < 0.2.1

References

https://github.com/nestjs/nest/security/advisories/GHSA-8...
x_refsource_CONFIRM
https://github.com/JLLeitschuh/nestjs-devtools-integratio...
x_refsource_MISC
https://github.com/JLLeitschuh/nestjs-typescript-starter-...
x_refsource_MISC

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.
CVE-2025-54782 : Remote Code Execution Vulnerability in NestJS Framework and @nestjs/devtools-integration Package