CVE-2025-62713

Description

### Impact **Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. The vulnerability combines two issues: 1. The `initApp` action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token 2. The `installPackagesForDataSource` action uses unescaped command arguments, enabling command injection An attacker with access to a locally running development instance can chain these vulnerabilities to: - Reinitialize the application and receive a JWT token for a new root account - Use this token to authenticate - Execute arbitrary system commands through `installPackagesForDataSource` **Production deployments were never affected.** ### Patches Fixed in [v3.3.2](https://github.com/kottster/kottster/releases/tag/v3.3.2). Specifically, `@kottster/server` [v3.3.2](https://www.npmjs.com/package/@kottster/server/v/3.3.2) and `@kottster/cli` [v3.3.2](https://www.npmjs.com/package/@kottster/cli/v/3.3.2) address this vulnerability. We recommend developers using earlier versions of `@kottster/server` and `@kottster/cli` update all the core packages to latest release: ``` npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest ``` ### Workarounds - Do not expose development servers to public networks or untrusted users - Use production mode for any deployment accessible from outside trusted environments ### Credit We sincerely thank Jeongwon Jo ([@P0cas](https://github.com/P0cas)) from **RedAlert** for discovering and responsibly disclosing this vulnerability.

How to fix CVE-2025-62713

To remediate CVE-2025-62713, upgrade the affected package to a fixed version below.

• —upgrade to 3.3.2 or later

Is CVE-2025-62713 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (1)