Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2025-62713

Kottster app reinitialization can be re-triggered allowing command injection in development mode
Back to all
CVE

CVE-2025-62713

Kottster app reinitialization can be re-triggered allowing command injection in development mode

Impact

Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.

The vulnerability combines two issues:

  1. The initApp action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token
  2. The installPackagesForDataSource action uses unescaped command arguments, enabling command injection

An attacker with access to a locally running development instance can chain these vulnerabilities to:

  • Reinitialize the application and receive a JWT token for a new root account
  • Use this token to authenticate
  • Execute arbitrary system commands through installPackagesForDataSource

Production deployments were never affected.

Patches

Fixed in v3.3.2.

Specifically, @kottster/server v3.3.2 and @kottster/cli v3.3.2 address this vulnerability.

We recommend developers using earlier versions of @kottster/server and @kottster/cli update all the core packages to latest release:

npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest

Workarounds

  • Do not expose development servers to public networks or untrusted users
  • Use production mode for any deployment accessible from outside trusted environments

Credit

We sincerely thank Jeongwon Jo (@P0cas) from RedAlert for discovering and responsibly disclosing this vulnerability.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.2
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
9.8
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/kottster/kottster/security/advisories/GHSA-j3w7-9qc3-g96p, https://nvd.nist.gov/vuln/detail/CVE-2025-62713, https://github.com/kottster/kottster/commit/0a7d24922a23aac98372155348787670937eef89, https://github.com/kottster/kottster

Severity

9.8

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.8
EPSS Probability
0.00724%
EPSS Percentile
0.72041%
Introduced Version
3.2.0
Fix Available
3.3.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading