BURSTA critical security vulnerability has been discovered in the NestJS framework’s development tools that enables remote code execution (RCE) attacks against JavaScript developers.
The flaw, identified as CVE-2025-54782, affects the @nestjs/devtools-integration package and allows malicious websites to execute arbitrary code on developers’ local machines through sophisticated sandbox escape techniques.
Key Takeaways
1. Critical RCE flaw in NestJS devtools allows code execution via malicious websites.
2. Caused by an unsafe JavaScript sandbox and poor CORS validation.
3. Immediate fix required.
The vulnerability disclosed carries a critical severity rating of 9.4 on the CVSS v4 scale, highlighting the immediate danger it poses to the development community.
NestJS, described as “a progressive Node.js framework for building efficient and scalable server-side applications,” has over 4,100 followers on GitHub and is widely used in enterprise-grade applications.
NestJS Sandbox RCE Vulnerability
The security flaw stems from the @nestjs/devtools-integration package’s HTTP endpoint /inspector/graph/interact, which processes JSON input containing a code field and executes it within a Node.js vm.runInNewContext sandbox.
The vulnerable implementation closely resembles the abandoned safe-eval library and fails to provide adequate security controls.
The problematic code includes a flawed sandbox implementation:
The vulnerability is further compounded by inadequate Cross-Origin Resource Sharing (CORS) protections.
While the server sets Access-Control-Allow-Origin to https://devtools[.]nestjs.com, it fails to validate the request’s Origin or Content-Type headers properly.
Attackers can exploit this weakness by crafting POST requests with text/plain content type, effectively bypassing CORS preflight checks.
| Risk Factors | Details |
| Affected Products | @nestjs/devtools-integration package (npm)≤0.2.0 |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | – Developer visits malicious website- NestJS devtools integration enabled- Development server running locally |
| CVSS v4 Score | 9.4 |
Security researcher JLLeitschuh, working on behalf of Socket, demonstrated the exploit using a simple HTML form that can trigger the vulnerability when a developer visits a malicious website.
The proof-of-concept payload leverages JavaScript’s property enumeration to escape the sandbox and gain access to Node.js’s child_process module for arbitrary command execution.
The NestJS maintainers have addressed this critical issue in version 0.2.1 by implementing a safer sandboxing alternative using @nyariv/sandboxjs, adding proper origin validation, and introducing authentication mechanisms for devtools connections.
Developers using affected versions (≤0.2.0) are strongly advised to upgrade immediately to mitigate the risk of remote code execution attacks against their development environments.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
The post NestJS Framework Vulnerability Let Attackers Execute Arbitrary Code in Developers Machine appeared first on Cyber Security News.