What is CVE-2025-62713?

### Impact **Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. The vulnerability combines two issues: 1. The `initApp` action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token 2. The `installPackagesForDataSource` action uses unescaped command arguments, enabling command injection An attacker with access to a locally running development instance can chain these vulnerabilities to: - Reinitialize the application and receive a JWT token for a new root account - Use this token to authenticate - Execute arbitrary system commands through `installPackagesForDataSource` **Production deployments were never affected.** ### Patches Fixed in [v3.3.2](https://github.com/kottster/kottster/releases/tag/v3.3.2). Specifically, `@kottster/server` [v3.3.2](https://www.npmjs.com/package/@kottster/server/v/3.3.2) and `@kottster/cli` [v3.3.2](https://www.npmjs.com/package/@kottster/cli/v/3.3.2) address this vulnerability. We recommend developers using earlier versions of `@kottster/server` and `@kottster/cli` update all the core packages to latest release: ``` npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest ``` ### Workarounds - Do not expose development servers to public networks or untrusted users - Use production mode for any deployment accessible from outside trusted environments ### Credit We sincerely thank Jeongwon Jo ([@P0cas](https://github.com/P0cas)) from **RedAlert** for discovering and responsibly disclosing this vulnerability.

What is the severity of CVE-2025-62713?

CVE-2025-62713 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2025-62713?

No known public exploits are currently available for CVE-2025-62713.

Is there a patch available for CVE-2025-62713?

Yes, patches are available for CVE-2025-62713. Check the vendor advisories for update instructions.

CVE-2025-62713 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score1.0

None

Exploitation LikelihoodLow

1.00%EPSS

Lower probability of exploitation

Patch during regular maintenance

1.00%

EPSS

0.0

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.

The vulnerability combines two issues:

The initApp action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token
The installPackagesForDataSource action uses unescaped command arguments, enabling command injection

An attacker with access to a locally running development instance can chain these vulnerabilities to:

Reinitialize the application and receive a JWT token for a new root account
Use this token to authenticate
Execute arbitrary system commands through installPackagesForDataSource

Production deployments were never affected.

Patches

Fixed in v3.3.2.

Specifically, @kottster/server v3.3.2 and @kottster/cli v3.3.2 address this vulnerability.

We recommend developers using earlier versions of @kottster/server and @kottster/cli update all the core packages to latest release:

npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest

Workarounds

Do not expose development servers to public networks or untrusted users
Use production mode for any deployment accessible from outside trusted environments

Credit

We sincerely thank Jeongwon Jo (@P0cas) from RedAlert for discovering and responsibly disclosing this vulnerability.

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Patch References

Github.com