CVE-2025-62713
7.2
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Summary
Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been fixed in version 3.3.2.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| kottster | kottster | >= 3.2.0, < 3.3.2 | affected |
Weaknesses
- CWE-284: CWE-284: Improper Access Control
- CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/kottster/kottster/security/advisories/GHSA-j3w7-9qc3-g96p
- https://github.com/kottster/kottster/commit/0a7d24922a23aac98372155348787670937eef89
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.