CVE-2025-54782

@nestjs/devtools-integration versions 0.2.0 and below

A critical Remote Code Execution (RCE) vulnerability exists in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox implementation. Due to improper sandboxing and missing cross-origin protections, a malicious website visited by a developer can execute arbitrary code on their local machine. The vulnerable endpoint, /inspector/graph/interact, accepts JSON input containing a code field, which is then executed in a Node.js vm.runInNewContext sandbox. The sandbox implementation is similar to the abandoned safe-eval library and is easily escapable. The server lacks proper CORS/Origin checking, allowing attackers to bypass security measures.

Update to version 0.2.1 or later.