What is CVE-2025-54782 and how critical is it?

CVE-2025-54782 is a critical vulnerability in NestJS with a CVSS score of 9.4. It affects the @nestjs/devtools-integration package and allows malicious websites to execute arbitrary code on developers' local machines through remote code execution attacks.

Which NestJS package is affected by this vulnerability?

The vulnerability affects the @nestjs/devtools-integration package, which is widely used by developers working with NestJS development environments.

How does the NestJS vulnerability work?

When enabled during development, the package exposes a local HTTP server that becomes an entry point for attacks. The /inspector/graph/interact endpoint accepts JSON input with a code field and executes it within a Node.js vm.runInNewContext sandbox, which lacks adequate security controls for untrusted code execution.

What makes this vulnerability particularly dangerous?

The vulnerability can compromise developer machines with minimal user interaction - requiring only that a developer visit a malicious website while running their development environment. It also has inadequate CORS protections, allowing attackers to bypass security measures using HTML forms or XMLHttpRequest calls with text/plain content type.

How do attackers exploit this NestJS vulnerability?

Attackers exploit this through a three-step process: 1) Cross-Origin Request Bypass using malicious websites that target the local development server, 2) Sandbox Escape via Constructor Chain by exploiting error object's constructor chain to escape the flawed vm.runInNewContext sandbox, and 3) Remote Code Execution using process.mainModule.require('child_process').execSync() to execute arbitrary system commands.

Which versions of @nestjs/devtools-integration are affected?

All releases of @nestjs/devtools-integration up to and including version 0.2.0 are affected by this vulnerability. The vulnerability affects developers using these versions in their local development environments, regardless of whether the application is deployed to production.

How can I fix this NestJS vulnerability?

NestJS maintainers have patched this flaw in version 0.2.1. Developers using affected versions should immediately upgrade to @nestjs/devtools-integration version 0.2.1 or later to resolve the security issue.

Does this vulnerability affect production environments?

No, this vulnerability specifically affects developers using the affected versions in their local development environments, regardless of whether the application is deployed to production environments. The devtools-integration package is typically only used during development.

Advisory

Critical buffer overflow flaw in Squid HTTP Proxy enables remote code execution

published: Aug. 4, 2025

Take action: If you're running Squid proxy software, plan a quick upgrade to version 6.4 or later, because there's a flaw that can enable malicious websites to breach the Squid server. Check with your proxy vendors as well, you may not have direct access to the proxy in a commercial product.

Learn More

Squid has patched a critical security vulnerability that enabled remote code execution in the proxy software.

The flaw is tracked as CVE-2025-54574 (CVSS score 9.3), a heap buffer overflow vulnerability in the buffer management of Squid's URN (Uniform Resource Name) processing functionality. It enables remote servers to perform buffer overflow attacks when delivering URN Trivial-HTTP responses, allowing delivery of up to 4KB of Squid allocated heap memory to clients.

It allows remote attackers to potentially execute arbitrary code on affected systems and expose sensitive memory contents without requiring authentication or user interaction.

Step 1: Target Identification An attacker identifies a vulnerable Squid proxy server (versions below 6.4) that processes URN requests. The attacker needs to be able to send HTTP responses to the proxy, typically by controlling a web server that the proxy might connect to.
Step 2: Malicious URN Response The attacker crafts a specially malformed URN Trivial-HTTP response with oversized data that exceeds the expected buffer boundaries in Squid's URN processing code. This response exploits the incorrect buffer management to trigger a heap buffer overflow.
Step 3: Memory Exposure/Code Execution When Squid processes the malicious URN response, the buffer overflow occurs, potentially allowing the attacker to:
- Read up to 4KB of heap memory containing sensitive data (credentials, tokens, etc.)
- In worst-case scenarios, achieve remote code execution on the proxy server

Affected versions of Squid:

All Squid 4.x versions up to and including 4.17
All Squid 5.x versions up to and including 5.9
All Squid 6.x versions up to and including 6.3
Squid versions older than 4.14 (untested but assumed vulnerable)

Versions that are not affected:

Squid version 6.4 and later versions

Squid has patched this vulnerability in version 6.4, and patches for stable releases can be found in the project's patch archives.

Organizations should upgrade to Squid version 6.4 or later or to the patched versions of their stable release. For environments where immediate upgrading is not feasible, administrators can implement a temporary workaround by disabling URN access permissions in the configuration: add access control list rules to deny URN protocol requests: "acl URN proto URN" followed by "http_access deny URN", effectively blocking the vulnerable code path until proper patching can be completed.

Critical buffer overflow flaw in Squid HTTP Proxy enables remote code execution

Read More
XSS vulnerability in Zimbra collaboration suite under active …
Coordinated cyberattacks target two years old Zyxel firewall …
Critical vulnerability in Bitdefender's GravityZone Update Server
IBM reports multiple flaws in QRadar SIEM, at …
Fortinet warns of active exploitation of 2FA Bypass …