Critical remote code execution flaw in NestJS development tools enables attacks against developers

NestJS is reporting a critical vulnerability in its development tools integration package that allows malicious websites to execute arbitrary code on developers' local machines. 

This flaw is tracked as CVE-2025-54782 (CVSS score 9.4) and affects the @nestjs/devtools-integration package, which is widely used by developers working with NestJS. When enabled during development, this package exposes a local HTTP server that becomes the entry point for remote code execution attacks. It can compromise developer machines with minimal user interaction, requiring only that a developer visit a malicious website while running their development environment.

One endpoint of the exposed HTTP server at /inspector/graph/interact is accepting JSON input containing a code field and is executing the provided code within a Node.js vm.runInNewContext sandbox. This implementation fails to provide adequate security controls, as the Node.js vm module is explicitly documented as not providing security mechanisms for executing untrusted code.

The vulnerability is compounded by inadequate Cross-Origin Resource Sharing (CORS) protections. While the server sets Access-Control-Allow-Origin to a fixed domain (https://devtools.nestjs.com), it fails to validate the request's Origin or Content-Type headers properly. 

Attackers can exploit this weakness by crafting POST requests with text/plain content type using HTML forms or simple XMLHttpRequest calls:

• Cross-Origin Request Bypass: Attacker creates a malicious website with an HTML form or XHR request that targets http://localhost:8000/inspector/graph/interact using text/plain content-type, which bypasses CORS preflight checks and allows the request to reach the vulnerable NestJS devtools endpoint.
• Sandbox Escape via Constructor Chain: The payload uses propertyIsEnumerable.call() to intentionally trigger a JavaScript exception, then exploits the error object's constructor chain (pp.constructor.constructor('return process')()) to escape the flawed vm.runInNewContext sandbox and regain access to Node.js's global process object.
• Remote Code Execution: Once the sandbox is escaped, the payload uses process.mainModule.require('child_process').execSync() to execute arbitrary system commands on the developer's machine, such as launching applications, creating files, or potentially installing malware - all triggered simply by visiting the malicious website while the development server is running.

Affected versions include all releases of @nestjs/devtools-integration up to and including version 0.2.0. 

The vulnerability affects developers using these versions in their local development environments, regardless of whether the application is deployed to production environments. 

NestJS maintainers have patched this flaw in in version 0.2.1  Developers using affected versions should immediately upgrade to @nestjs/devtools-integration version 0.2.1 or later.