Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

nestjs

Source -

NVDCNA

BOS Name -

N/A

CNA CVEs -

1

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

2
Related CVEsRelated ProductsRelated AssignersReports
3Vulnerabilities found
CVE-2025-54782
Assigner-GitHub, Inc.
ShareView Details
Assigner-GitHub, Inc.
CVSS Score-9.4||CRITICAL
EPSS-4.66% / 88.88%
||
7 Day CHG+0.42%
Published-01 Aug, 2025 | 23:36
Updated-04 Aug, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
@nestjs/devtools-integration's CSRF to Sandbox Escape Allows for RCE against JS Developers

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1.

Action-Not Available
Vendor-nestjs
Product-nest
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-29409
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.09% / 26.11%
||
7 Day CHG+0.01%
Published-14 Mar, 2025 | 00:00
Updated-03 Apr, 2025 | 15:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

File Upload vulnerability in nestjs nest v.10.3.2 allows a remote attacker to execute arbitrary code via the Content-Type header.

Action-Not Available
Vendor-nestjsn/a
Product-nestn/a
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2023-26108
Assigner-Snyk
ShareView Details
Assigner-Snyk
CVSS Score-3.7||LOW
EPSS-0.09% / 25.97%
||
7 Day CHG~0.00%
Published-06 Mar, 2023 | 05:00
Updated-05 Mar, 2025 | 19:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.

Action-Not Available
Vendor-nestjsn/a
Product-nest@nestjs/core
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor