Headline
GHSA-j3w7-9qc3-g96p: Kottster app reinitialization can be re-triggered allowing command injection in development mode
Impact
Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.
The vulnerability combines two issues:
- The
initAppaction can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token - The
installPackagesForDataSourceaction uses unescaped command arguments, enabling command injection
An attacker with access to a locally running development instance can chain these vulnerabilities to:
- Reinitialize the application and receive a JWT token for a new root account
- Use this token to authenticate
- Execute arbitrary system commands through
installPackagesForDataSource
Production deployments were never affected.
Patches
Fixed in v3.3.2.
Specifically, @kottster/server v3.3.2 and @kottster/cli v3.3.2 address this vulnerability.
We recommend developers using earlier versions of @kottster/server and @kottster/cli update all the core packages to latest release:
npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest
Workarounds
- Do not expose development servers to public networks or untrusted users
- Use production mode for any deployment accessible from outside trusted environments
Credit
We sincerely thank Jeongwon Jo (@P0cas) from RedAlert for discovering and responsibly disclosing this vulnerability.
Impact
Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.
The vulnerability combines two issues:
- The initApp action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token
- The installPackagesForDataSource action uses unescaped command arguments, enabling command injection
An attacker with access to a locally running development instance can chain these vulnerabilities to:
- Reinitialize the application and receive a JWT token for a new root account
- Use this token to authenticate
- Execute arbitrary system commands through installPackagesForDataSource
Production deployments were never affected.
Patches
Fixed in v3.3.2.
Specifically, @kottster/server v3.3.2 and @kottster/cli v3.3.2 address this vulnerability.
We recommend developers using earlier versions of @kottster/server and @kottster/cli update all the core packages to latest release:
npm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest
Workarounds
- Do not expose development servers to public networks or untrusted users
- Use production mode for any deployment accessible from outside trusted environments
Credit
We sincerely thank Jeongwon Jo (@P0cas) from RedAlert for discovering and responsibly disclosing this vulnerability.
References
- GHSA-j3w7-9qc3-g96p
- kottster/kottster@0a7d249