CVE-2025-62713
Kottster app reinitialization can be re-triggered allowing command injection in development mode
描述
### Impact **Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. The vulnerability combines two issues: 1. The `initApp` action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token 2. The `installPackagesForDataSource` action uses unescaped command arguments, enabling command injection An attacker with access to a locally running development instance can chain these vulnerabilities to: - Reinitialize the application and receive a JWT token for a new root account - Use this token to authenticate - Execute arbitrary system commands through `installPackagesForDataSource` **Production deployments were never affected.** ### Patches Fixed in [v3.3.2](https://github.com/kottster/kottster/releases/tag/v3.3.2). Specifically, `@kottster/server` [v3.3.2](https://www.npmjs.com/package/@kottster/server/v/3.3.2) and `@kottster/cli` [v3.3.2](https://www.npmjs.com/package/@kottster/cli/v/3.3.2) address this vulnerability. We recommend developers using earlier versions of `@kottster/server` and `@kottster/cli` update all the core packages to latest release: ``` npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest ``` ### Workarounds - Do not expose development servers to public networks or untrusted users - Use production mode for any deployment accessible from outside trusted environments ### Credit We sincerely thank Jeongwon Jo ([@P0cas](https://github.com/P0cas)) from **RedAlert** for discovering and responsibly disclosing this vulnerability.
如何修補 CVE-2025-62713
要修補 CVE-2025-62713,請將受影響套件升級到下列已修補版本。
- —升級至 3.3.2 或更新版本
CVE-2025-62713 正在被利用嗎?
低 — EPSS 為 0.9%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 3.2.0, < 3.3.2