
Research
/Security News
Critical Vulnerability in NestJS Devtools: Localhost RCE via Sandbox Escape
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
Sarah Gooding
December 6, 2024
JavaScript enthusiasts celebrated the language’s 29th birthday this week, coinciding with the Node.js team delivering some exciting updates. The project has seen significant progress and improvements in late 2024, focusing on security, automation, and new features. Here’s a quick roundup of the most important changes developers need to know:
Node.js shipped version 22.12.0 'Jod’ this week, its first LTS with require(esm) enabled by default. The feature is still experimental but it’s no longer behind the --experimental-require-module flag. Support for loading native ES modules via require()
is an exciting milestone that impacts the whole ecosystem.
Node.js TSC delegate Joyee Cheung, who contributed this feature, gave a brief background on why it was needed:
It helps accelerating ESM adoption in the ecosystem as package authors can start shipping native ESM with less breakage to their CJS users; it also helps frameworks and tools that take plugins to support native ESM in user/plugin code whilst they are still navigating their own migration to ESM.
Automating the release process is an initiative that Node.js maintainers have been working on since 2023 with the goal of reducing the number of time-consuming steps to perform a release. In the last couple months, the project has made major progress in automating some of the housekeeping related to security releases which has made the team more efficient.
Node.js reports processing its lowest ever number of security reports (10) in October–November 2024. A brief breakdown of the reports:
The team attributes the low number of reports to “the effectiveness of our updated security policies in enhancing overall system protection.” They have also improved the release workflow with an automated command for updating the website banner and blog post locations, along with the CVE-ID metadata automatically added to changelogs, speeding up security release proposals.
These recent milestones demonstrate Node.js' ongoing commitment to drive the ecosystem forward and suggest that the platform will continue to be a powerful force in JavaScript’s adaptability, performance, and global impact for years to come.
By enabling require(esm) by default in an LTS release, Node.js is addressing one of the ecosystem's long-standing hurdles—bridging the gap between CommonJS and ES Modules. This shift indicates a commitment to easing the ESM adoption curve, paving the way for modern, interoperable JavaScript development.
Subscribe to our newsletter
Get notified when we publish new security blog posts!
Try it now
Research
/Security News
A flawed sandbox in @nestjs/devtools-integration lets attackers run code on your machine via CSRF, leading to full Remote Code Execution (RCE).
Application Security
/Security News
Socket CEO Feross Aboukhadijeh and a16z partner Joel de la Garza discuss vibe coding, AI-driven software development, and how the rise of LLMs, despite their risks, still points toward a more secure and innovative future.
Research
/Security News
Threat actors hijacked Toptal’s GitHub org, publishing npm packages with malicious payloads that steal tokens and attempt to wipe victim systems.