CNNVD-202508-117 Information

Aug 02, 2025 cve

CNNVD ID

CNNVD-202508-117

CVE-2025-54782

CNNVD Published: 2025-08-02

Description (Chinese)

nest是nestjs开源的一个 Node.js 框架，用于使用 TypeScript/JavaScript 构建高效、可扩展和企业级的服务器端应用程序。 nest 0.2.0及之前版本存在命令注入漏洞，该漏洞源于@nestjs/devtools-integration包存在不安全JavaScript沙箱，可能导致远程代码执行。

Description (English)

Nest is a Node.js framework for the use of TypeScript/JavaScript to construct efficient, scalable and enterprise-level server-end applications. Nest 0.2.0 and previous versions have command-injecting holes, which stem from the presence of unsafe JavaScript sandboxes in the @testjs/devtools-intellect package, which may result in remote code enforcement.

Hazard Level

High

Vulnerability Type

命令注入

Affected Vendor

nestjs

Published

2025-08-02

Last Modified

2026-02-24

References

https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7 https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc https://nodejs.org/api/vm.html https://socket.dev/blog/nestjs-rce-vuln https://access.redhat.com/security/cve/cve-2025-54782

Patch

https://github.com/nestjs/nest/releases

Share on: