What is CVE-2025-54782?

CVE-2025-54782 is a vulnerability in Nestjs Nest, classified under Command Injection. Published 2025-08-01.

Is CVE-2025-54782 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Nestjs Nest

CVE-2025-54782

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the pac…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.351 (97.1th percentile) — read the EPSS interpretation.

Affected products

Nestjs Nest — versions < 0.2.1

Weakness classification (CWE)

Public proof-of-concept exploits

References

https://github.com/nestjs/nest/security/advisories/GHSA-85cg-cmq5-qjm7 (x_refsource_CONFIRM)
https://github.com/JLLeitschuh/nestjs-devtools-integration-rce-poc (x_refsource_MISC)
https://github.com/JLLeitschuh/nestjs-typescript-starter-w-devtools-integration (x_refsource_MISC)
https://nodejs.org/api/vm.html (x_refsource_MISC)
https://socket.dev/blog/nestjs-rce-vuln (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-54782?: CVE-2025-54782 is a vulnerability in Nestjs Nest, classified under Command Injection. Published 2025-08-01.
Is CVE-2025-54782 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.