Plataforma
nodejs
Componente
@nestjs/devtools-integration
Corrigido em
0.2.2
0.2.1
A critical Remote Code Execution (RCE) vulnerability has been identified in the @nestjs/devtools-integration package. This vulnerability arises from an unsafe JavaScript sandbox within the package's development HTTP server, allowing malicious websites to execute arbitrary code on a developer's local machine. The vulnerability affects versions prior to 0.2.1, and a fix is available in version 0.2.1, released on August 1, 2025.
The impact of CVE-2025-54782 is severe. An attacker controlling a website visited by a developer using @nestjs/devtools-integration can inject and execute arbitrary code on the developer's machine. This could lead to complete system compromise, including data theft, malware installation, and lateral movement within the developer's network. The vulnerability's reliance on a developer visiting a malicious website makes it particularly insidious, as it bypasses traditional network security controls. The unsafe safe-eval-like implementation is the root cause, enabling code execution without proper sanitization or isolation.
This vulnerability is considered high-risk due to its ease of exploitation and potential impact. Public proof-of-concept (POC) code is likely to emerge quickly, increasing the risk of widespread exploitation. While no active campaigns have been publicly reported as of August 1, 2025, the vulnerability's simplicity suggests it could be rapidly incorporated into exploit kits. The vulnerability was disclosed by Socket, and details are available on their blog. The NVD and CISA have published advisories for this CVE.
Status do Exploit
EPSS
24.36% (percentil 96%)
CISA SSVC
The primary mitigation for CVE-2025-54782 is to immediately upgrade the @nestjs/devtools-integration package to version 0.2.1 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider disabling the @nestjs/devtools-integration module entirely. As a temporary workaround, restrict access to the development HTTP server to trusted networks only. There are no specific WAF or proxy rules that can effectively mitigate this vulnerability without disabling the module. After upgrading, confirm the fix by visiting a known safe website and verifying that no unexpected code is executed.
Atualize o pacote @nestjs/devtools-integration para a versão 0.2.1 ou superior. Isso corrige a vulnerabilidade de execução remota de código. Execute `npm install @nestjs/devtools-integration@latest` ou `yarn add @nestjs/devtools-integration@latest` para atualizar.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-54782 is a critical Remote Code Execution vulnerability in the @nestjs/devtools-integration package. It allows malicious websites to execute code on a developer's machine if the package is enabled and vulnerable versions are in use.
You are affected if you are using @nestjs/devtools-integration versions prior to 0.2.1 and have the module enabled. Check your project's dependencies and configuration to determine if you are vulnerable.
Upgrade the @nestjs/devtools-integration package to version 0.2.1 or later. If upgrading is not immediately possible, disable the module entirely.
While no active campaigns have been publicly reported as of August 1, 2025, the vulnerability's simplicity suggests it could be rapidly incorporated into exploit kits.
Refer to the Socket blog post detailing the vulnerability: https://socket.dev/blog/nestjs-rce-vuln. Check the NestJS GitHub repository and official documentation for updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.