From 26bcf7a492eaef26a7473d43a7f9e810c5b31ae2 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 1 Sep 2025 16:55:25 +0200 Subject: [PATCH 1/4] Add CVE-2025-54782 rule --- .../crowdsecurity/CVE-2025-54782.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 appsec-rules/crowdsecurity/CVE-2025-54782.yaml diff --git a/appsec-rules/crowdsecurity/CVE-2025-54782.yaml b/appsec-rules/crowdsecurity/CVE-2025-54782.yaml new file mode 100644 index 00000000000..99642243943 --- /dev/null +++ b/appsec-rules/crowdsecurity/CVE-2025-54782.yaml @@ -0,0 +1,31 @@ +## autogenerated on 2025-09-01 14:55:22 +name: crowdsecurity/vpatch-CVE-2025-54782 +description: 'Detects RCE in NestJS DevTools Integration via unsafe code execution in /inspector/graph/interact endpoint.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: equals + value: /inspector/graph/interact + - zones: + - RAW_BODY + transform: + - lowercase + match: + type: contains + value: '"code":' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'NestJS DevTools - RCE' + classification: + - cve.CVE-2025-54782 + - attack.T1190 + - cwe.CWE-77 From 377010360d31c5817de17960a899b43c7ff9f0b3 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 1 Sep 2025 16:55:27 +0200 Subject: [PATCH 2/4] Add CVE-2025-54782 test config --- .appsec-tests/CVE-2025-54782/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/CVE-2025-54782/config.yaml diff --git a/.appsec-tests/CVE-2025-54782/config.yaml b/.appsec-tests/CVE-2025-54782/config.yaml new file mode 100644 index 00000000000..3830d0dc854 --- /dev/null +++ b/.appsec-tests/CVE-2025-54782/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2025-09-01 14:55:22 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2025-54782.yaml +nuclei_template: CVE-2025-54782.yaml From e12d99ab8845e7c90f1ddc03e7242afe76d4ac31 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 1 Sep 2025 16:55:29 +0200 Subject: [PATCH 3/4] Add CVE-2025-54782.yaml test --- .../CVE-2025-54782/CVE-2025-54782.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/CVE-2025-54782/CVE-2025-54782.yaml diff --git a/.appsec-tests/CVE-2025-54782/CVE-2025-54782.yaml b/.appsec-tests/CVE-2025-54782/CVE-2025-54782.yaml new file mode 100644 index 00000000000..9d02378fcae --- /dev/null +++ b/.appsec-tests/CVE-2025-54782/CVE-2025-54782.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2025-09-01 14:55:22 +id: CVE-2025-54782 +info: + name: CVE-2025-54782 + author: crowdsec + severity: info + description: CVE-2025-54782 testing + tags: appsec-testing +http: + - raw: + - | + POST /inspector/graph/interact HTTP/1.1 + Host: {{Hostname}} + Content-Type: text/plain + + {"code":"(function(){try{propertyIsEnumerable.call()}catch(pp){pp.constructor.constructor('return process')().mainModule.require('child_process').execSync('id')}})()"} + cookie-reuse: true + matchers: + - type: status + status: + - 403 From f75b928fae2f1df6e51ff05370f46fac6590fd79 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Mon, 1 Sep 2025 16:55:30 +0200 Subject: [PATCH 4/4] Add CVE-2025-54782 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index be69426f031..7c908b06d9e 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -90,6 +90,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2024-27292 - crowdsecurity/vpatch-CVE-2025-24893 - crowdsecurity/vpatch-CVE-2021-43798 +- crowdsecurity/CVE-2025-54782 author: crowdsecurity contexts: - crowdsecurity/appsec_base