CVE-2025-62713
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-23

Last updated on: 2025-10-27

Assigner: GitHub, Inc.

Description
Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been fixed in version 3.3.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-23
Last Modified
2025-10-27
Generated
2026-06-16
AI Q&A
2025-10-23
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62713
EUVD
EUVD-2025-35701
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
kottster cli 3.2.0
kottster server 3.3.2
kottster server 3.2.0
kottster cli 3.3.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-62713 is a pre-authentication remote code execution (RCE) vulnerability in Kottster versions 3.2.0 to before 3.3.2 when running in development mode. It arises from two issues: the application can be reinitialized repeatedly without checking if it is already initialized, allowing an attacker to create a new root admin account and obtain a JWT token; and unescaped command arguments in a function allow command injection. An attacker with access to a development instance can exploit these to execute arbitrary system commands. Production deployments are not affected. [2]

Impact Analysis

This vulnerability can allow an attacker to gain root admin access to the Kottster development instance without authentication and execute arbitrary system commands remotely. This could lead to full compromise of the affected system running the vulnerable development mode, including unauthorized control over the server and potential data breaches. However, production deployments are not affected. [2]

Detection Guidance

This vulnerability can be detected by checking if a Kottster instance is running in development mode (versions >=3.2.0 and <3.3.2). Since exploitation involves invoking the `initApp` action repeatedly and executing commands via `installPackagesForDataSource`, monitoring for unusual repeated initialization requests or suspicious command execution attempts on the development server could indicate exploitation attempts. Specific commands are not provided in the resources, but verifying the version of @kottster/server and whether the server is running in development mode is essential. [2]

Mitigation Strategies

Immediate mitigation steps include updating all @kottster/server and @kottster/cli packages to version 3.3.2 or later, which contains the fix. Additionally, avoid exposing development servers to public or untrusted networks and use production mode for any deployment accessible outside trusted environments. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart