EXECUTIVE SUMMARY:
A critical remote code execution vulnerability has been identified in the NestJS Devtools, a popular developer tool for the NestJS framework. This flaw, tracked as CVE-2025-54782, allows attackers to execute arbitrary system commands by tricking users into visiting a malicious website.
- CVE-2025-54782: This vulnerability arises due to the use of the node-inspector package, which exposes a WebSocket interface without authentication. When NestJS Devtools runs in development mode, it automatically starts a server that listens on all interfaces, making it accessible over the internet or local network. If a developer opens a malicious website while the Devtools server is active, the attacker can exploit the WebSocket interface to execute arbitrary commands on the developer’s machine. This flaw carries a CVSS v4 score of 9.8, marking it as critical. It enables remote attackers to take full control of the host system in certain conditions, especially during development workflows.
This vulnerability poses a severe risk, especially for developers running NestJS Devtools in unsecured environments. Remote attackers can achieve full command execution without user interaction beyond visiting a malicious webpage.
RECOMMENDATION:
- We strongly recommend you update NestJS Devtools to version 0.2.1 or later.
REFERENCES:
The following reports contain further technical details:
