プラットフォーム
nodejs
コンポーネント
@nestjs/devtools-integration
修正版
0.2.2
0.2.1
A critical Remote Code Execution (RCE) vulnerability has been identified in the @nestjs/devtools-integration package. This vulnerability arises from an unsafe JavaScript sandbox within the package's development HTTP server, allowing malicious websites to execute arbitrary code on a developer's local machine. The vulnerability affects versions prior to 0.2.1, and a fix is available in version 0.2.1, released on August 1, 2025.
The impact of CVE-2025-54782 is severe. An attacker controlling a website visited by a developer using @nestjs/devtools-integration can inject and execute arbitrary code on the developer's machine. This could lead to complete system compromise, including data theft, malware installation, and lateral movement within the developer's network. The vulnerability's reliance on a developer visiting a malicious website makes it particularly insidious, as it bypasses traditional network security controls. The unsafe safe-eval-like implementation is the root cause, enabling code execution without proper sanitization or isolation.
This vulnerability is considered high-risk due to its ease of exploitation and potential impact. Public proof-of-concept (POC) code is likely to emerge quickly, increasing the risk of widespread exploitation. While no active campaigns have been publicly reported as of August 1, 2025, the vulnerability's simplicity suggests it could be rapidly incorporated into exploit kits. The vulnerability was disclosed by Socket, and details are available on their blog. The NVD and CISA have published advisories for this CVE.
エクスプロイト状況
EPSS
24.36% (96% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2025-54782 is to immediately upgrade the @nestjs/devtools-integration package to version 0.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider disabling the @nestjs/devtools-integration module entirely. As a temporary workaround, restrict access to the development HTTP server to trusted networks only. There are no specific WAF or proxy rules that can effectively mitigate this vulnerability without disabling the module. After upgrading, confirm the fix by visiting a known safe website and verifying that no unexpected code is executed.
パッケージ `@nestjs/devtools-integration` をバージョン 0.2.1 以降にアップデートしてください。これにより、リモートコード実行の脆弱性が修正されます。`npm install @nestjs/devtools-integration@latest` または `yarn add @nestjs/devtools-integration@latest` を実行してアップデートしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-54782 is a critical Remote Code Execution vulnerability in the @nestjs/devtools-integration package. It allows malicious websites to execute code on a developer's machine if the package is enabled and vulnerable versions are in use.
You are affected if you are using @nestjs/devtools-integration versions prior to 0.2.1 and have the module enabled. Check your project's dependencies and configuration to determine if you are vulnerable.
Upgrade the @nestjs/devtools-integration package to version 0.2.1 or later. If upgrading is not immediately possible, disable the module entirely.
While no active campaigns have been publicly reported as of August 1, 2025, the vulnerability's simplicity suggests it could be rapidly incorporated into exploit kits.
Refer to the Socket blog post detailing the vulnerability: https://socket.dev/blog/nestjs-rce-vuln. Check the NestJS GitHub repository and official documentation for updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。