GHSA-J3W7-9QC3-G96P

Vulnerability from github – Published: 2025-10-23 16:01 – Updated: 2025-10-23 20:37
VLAI?
Summary
Kottster app reinitialization can be re-triggered allowing command injection in development mode
Details

Impact

Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.

The vulnerability combines two issues: 1. The initApp action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token 2. The installPackagesForDataSource action uses unescaped command arguments, enabling command injection

An attacker with access to a locally running development instance can chain these vulnerabilities to: - Reinitialize the application and receive a JWT token for a new root account - Use this token to authenticate - Execute arbitrary system commands through installPackagesForDataSource

Production deployments were never affected.

Patches

Fixed in v3.3.2.

Specifically, @kottster/server v3.3.2 and @kottster/cli v3.3.2 address this vulnerability.

We recommend developers using earlier versions of @kottster/server and @kottster/cli update all the core packages to latest release:

npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest

Workarounds

  • Do not expose development servers to public networks or untrusted users
  • Use production mode for any deployment accessible from outside trusted environments

Credit

We sincerely thank Jeongwon Jo (@P0cas) from RedAlert for discovering and responsibly disclosing this vulnerability.

Severity ?
7.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@kottster/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.0"
            },
            {
              "fixed": "3.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-23T16:01:35Z",
    "nvd_published_at": "2025-10-23T17:15:40Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\n**Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.\n\nThe vulnerability combines two issues:\n1. The `initApp` action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token\n2. The `installPackagesForDataSource` action uses unescaped command arguments, enabling command injection\n\nAn attacker with access to a locally running development instance can chain these vulnerabilities to:\n- Reinitialize the application and receive a JWT token for a new root account\n- Use this token to authenticate\n- Execute arbitrary system commands through `installPackagesForDataSource`\n\n**Production deployments were never affected.**\n\n### Patches\n\nFixed in [v3.3.2](https://github.com/kottster/kottster/releases/tag/v3.3.2).\n\nSpecifically, `@kottster/server` [v3.3.2](https://www.npmjs.com/package/@kottster/server/v/3.3.2) and `@kottster/cli` [v3.3.2](https://www.npmjs.com/package/@kottster/cli/v/3.3.2) address this vulnerability.\n\nWe recommend developers using earlier versions of `@kottster/server` and `@kottster/cli` update all the core packages to latest release:\n\n```\nnpm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest\n```\n\n### Workarounds\n\n- Do not expose development servers to public networks or untrusted users\n- Use production mode for any deployment accessible from outside trusted environments\n\n### Credit\n\nWe sincerely thank Jeongwon Jo ([@P0cas](https://github.com/P0cas)) from **RedAlert** for discovering and responsibly disclosing this vulnerability.",
  "id": "GHSA-j3w7-9qc3-g96p",
  "modified": "2025-10-23T20:37:07Z",
  "published": "2025-10-23T16:01:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kottster/kottster/security/advisories/GHSA-j3w7-9qc3-g96p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kottster/kottster/commit/0a7d24922a23aac98372155348787670937eef89"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kottster/kottster"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kottster app reinitialization can be re-triggered allowing command injection in development mode"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.