Critical Vulnerability in NestJS Devtools Localhost RCE via Sandbox Escape

Ever look at a bit of Javascript sandboxing code and say to yourself “I know I can probably break out of that”? No? Just me? Must be a security researcher thing.

As a hacker, one of the best places for vulnerabilities is in servers running locally on dev machines. Why? Because browsers still haven’t patched a 19 year old security vulnerability that allows any website to cross-talk from the public internet to local services on your machine. This long-standing vulnerability allows your browser to operate as a confused deputy, allowing attackers to use your browser to pivot and make HTTP requests to your local machine.

Combine that localhost server with an API endpoint that executes arbitrary code inside a sandbox that can be broken out of, and you find yourself looking at a critical RCE vulnerability.

How did we get here? As part of our ongoing review of findings from Socket’s AI-based malware detection, we examined a set of alerts that were classified as potential “vulnerabilities.” During this process, one alert in particular stood out, a piece of code flagged in @nestjs/devtools-integration that warranted deeper investigation.

To read the complete article see: Critical Vulnerability in NestJS Devtools.