CVE-2025-62713

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-62713

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62713.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-62713

Aliases

GHSA-j3w7-9qc3-g96p

Published

2025-10-23T16:15:14.696Z

Modified

2026-04-02T12:58:18.902567Z

Severity

7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Kottster app reinitialization can be re-triggered allowing command injection in development mode

Details

Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been fixed in version 3.3.2.

Database specific

{
    "cwe_ids": [
        "CWE-284",
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/62xxx/CVE-2025-62713.json"
}

References

Affected packages

Git / github.com/kottster/kottster

Affected ranges

Type: GIT
Repo: https://github.com/kottster/kottster
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

0a7d24922a23aac98372155348787670937eef89

Affected versions

v3.*

v3.3.0

v3.3.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-62713.json"