N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62713

GHSA ID

GHSA-j3w7-9qc3-g96p

EPSS Score

CWE

CWE-78

Published

10/23/2025

Updated

10/23/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62713

CVE-2025-62713: Kottster app reinitialization can be re-triggered allowing command injection in development mode

Impact

Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.

The vulnerability combines two issues:

The initApp action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token
The installPackagesForDataSource action uses unescaped command arguments, enabling command injection

An attacker with access to a locally running development instance can chain these vulnerabilities to:

Reinitialize the application and receive a JWT token for a new root account
Use this token to authenticate
Execute arbitrary system commands through installPackagesForDataSource

Production deployments were never affected.

Patches

Fixed in v3.3.2.

Specifically, @kottster/server v3.3.2 and @kottster/cli v3.3.2 address this vulnerability.

We recommend developers using earlier versions of @kottster/server and @kottster/cli update all the core packages to latest release:

npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest

Workarounds

Do not expose development servers to public networks or untrusted users
Use production mode for any deployment accessible from outside trusted environments

Credit

We sincerely thank Jeongwon Jo (@P0cas) from RedAlert for discovering and responsibly disclosing this vulnerability.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

CVE-2025-62713

GHSA ID

GHSA-j3w7-9qc3-g96p

EPSS Score

CWE

CWE-78

Published

10/23/2025

Updated

10/23/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@kottster/server	npm	>= 3.2.0, < 3.3.2	3.3.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a chain of two issues present only in the development mode of the Kottster application. The analysis of the provided patch commit 0a7d24922a23aac98372155348787670937eef89 confirms the description of the vulnerability.

First, the InitApp.execute function in packages/server/lib/actions/initApp.action.ts lacked a check to see if the application was already initialized. This allowed an attacker to call this action repeatedly, effectively creating a new administrative user and gaining an authentication token. The patch adds a check isSchemaEmpty(this.app.schema) to prevent this re-initialization.

Second, the InstallPackagesForDataSource.execute function in packages/server/lib/actions/installPackagesForDataSource.action.ts was vulnerable to command injection. It took a type parameter from user input and used it to construct a shell command for installing packages. There was no validation on the type parameter, allowing an attacker to inject arbitrary commands. The patch mitigates this by validating the type against an allowlist of DataSourceType values.

An attacker could chain these two vulnerabilities to first gain administrative access and then execute arbitrary code on the system, leading to a full remote code execution (RCE) on the development server.

Vulnerable functions

InitApp.execute

packages/server/lib/actions/initApp.action.ts

The `execute` function in the `InitApp` class could be called multiple times without checking if the application was already initialized. This allowed an attacker to re-initialize the application, create a new root admin account, and obtain a JWT token. The patch introduced a check `!isSchemaEmpty(this.app.schema)` to prevent re-initialization.

InstallPackagesForDataSource.execute

packages/server/lib/actions/installPackagesForDataSource.action.ts

The `execute` function in the `InstallPackagesForDataSource` class was vulnerable to OS command injection. The `type` parameter from the request was used to construct a command that was executed by the system. An attacker could provide a malicious `type` to execute arbitrary commands. The patch added validation to ensure the `type` is one of the expected values.

WAF Protection Rules

WAF Rule

### Imp**t ****v*lopm*nt mo** only**. Kottst*r *ont*ins * pr*-*ut**nti**tion r*mot* *o** *x**ution (R**) vuln*r**ility w**n runnin* in **v*lopm*nt mo**. T** vuln*r**ility *om*in*s two issu*s: *. T** `init*pp` **tion **n ** **ll** r*p**t**ly wit*out

Reasoning

T** vuln*r**ility is * ***in o* two issu*s pr*s*nt only in t** **v*lopm*nt mo** o* t** Kottst*r *ppli**tion. T** *n*lysis o* t** provi*** p*t** *ommit `****************************************` *on*irms t** **s*ription o* t** vuln*r**ility. *irst,

N/A

Basic Information

Concerned about an active attack path?

CVE-2025-62713: Kottster app reinitialization can be re-triggered allowing command injection in development mode

Impact

Patches

Workarounds

Credit

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI