CVE-2025-62713: 
JavaScript vulnerability analysis and mitigation

Kottster, a self-hosted Node.js admin panel, was found to contain a pre-authentication remote code execution (RCE) vulnerability (CVE-2025-62713) affecting versions 3.2.0 to 3.3.2 when running in development mode. The vulnerability was discovered and disclosed on October 23, 2025. It's important to note that this vulnerability only affects development mode deployments, with production environments remaining unaffected (GitHub Advisory).

The vulnerability combines two critical issues: first, the ability to repeatedly call the initApp action without proper initialization checks, enabling attackers to create unauthorized root admin accounts and obtain JWT tokens; second, the installPackagesForDataSource action's use of unescaped command arguments, enabling command injection. The vulnerability has received a CVSS 4.0 score of 7.2 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U. The vulnerability is classified under CWE-284 (Improper Access Control) and CWE-78 (OS Command Injection) (NVD).

An attacker with access to a locally running development instance can exploit this vulnerability to reinitialize the application, obtain unauthorized root admin access through a JWT token, and execute arbitrary system commands through the installPackagesForDataSource functionality (GitHub Advisory).

The vulnerability has been patched in version 3.3.2 of both @kottster/server and @kottster/cli. Users are recommended to update all core packages to the latest release using npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest. For those unable to update immediately, it is recommended to avoid exposing development servers to public networks or untrusted users and to use production mode for any deployment accessible from outside trusted environments (GitHub Advisory).