{"id":10740517,"name":"@kottster/server","ecosystem":"npm","description":"Instant admin panel for your project","homepage":"https://kottster.app/","licenses":"Apache-2.0","normalized_licenses":["Apache-2.0"],"repository_url":"https://github.com/kottster/kottster","keywords_array":["admin","panel","dashboard","no-code","low-code","builder","generate","crud"],"namespace":"kottster","versions_count":85,"first_release_published_at":"2024-07-22T14:03:58.847Z","latest_release_published_at":"2026-01-12T19:40:45.963Z","latest_release_number":"3.5.1","last_synced_at":"2026-04-05T18:12:21.024Z","created_at":"2024-07-22T14:05:14.640Z","updated_at":"2026-04-05T18:12:21.025Z","registry_url":"https://www.npmjs.com/package/@kottster/server","install_command":"npm install @kottster/server","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"3.5.1"}},"repo_metadata":{},"repo_metadata_updated_at":null,"dependent_packages_count":0,"downloads":2136,"downloads_period":"last-month","dependent_repos_count":0,"rankings":{"downloads":null,"dependent_repos_count":26.22420755452473,"dependent_packages_count":38.10147167511581,"stargazers_count":null,"forks_count":null,"docker_downloads_count":null,"average":32.16283961482027},"purl":"pkg:npm/%40kottster/server","advisories":[{"uuid":"GSA_kwCzR0hTQS1qM3c3LTlxYzMtZzk2cM4ABNwB","url":"https://github.com/advisories/GHSA-j3w7-9qc3-g96p","title":"Kottster app reinitialization can be re-triggered allowing command injection in development mode","description":"### Impact\n\n**Development mode only**. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.\n\nThe vulnerability combines two issues:\n1. The `initApp` action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token\n2. The `installPackagesForDataSource` action uses unescaped command arguments, enabling command injection\n\nAn attacker with access to a locally running development instance can chain these vulnerabilities to:\n- Reinitialize the application and receive a JWT token for a new root account\n- Use this token to authenticate\n- Execute arbitrary system commands through `installPackagesForDataSource`\n\n**Production deployments were never affected.**\n\n### Patches\n\nFixed in [v3.3.2](https://github.com/kottster/kottster/releases/tag/v3.3.2).\n\nSpecifically, `@kottster/server` [v3.3.2](https://www.npmjs.com/package/@kottster/server/v/3.3.2) and `@kottster/cli` [v3.3.2](https://www.npmjs.com/package/@kottster/cli/v/3.3.2) address this vulnerability.\n\nWe recommend developers using earlier versions of `@kottster/server` and `@kottster/cli` update all the core packages to latest release:\n\n```\nnpm install @kottster/common@latest @kottster/cli@latest @kottster/server@latest @kottster/react@latest\n```\n\n### Workarounds\n\n- Do not expose development servers to public networks or untrusted users\n- Use production mode for any deployment accessible from outside trusted environments\n\n### Credit\n\nWe sincerely thank Jeongwon Jo ([@P0cas](https://github.com/P0cas)) from **RedAlert** for discovering and responsibly disclosing this vulnerability.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2025-10-23T16:01:35.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.2,"cvss_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U","references":["https://github.com/kottster/kottster/security/advisories/GHSA-j3w7-9qc3-g96p","https://github.com/kottster/kottster/commit/0a7d24922a23aac98372155348787670937eef89","https://nvd.nist.gov/vuln/detail/CVE-2025-62713","https://github.com/advisories/GHSA-j3w7-9qc3-g96p"],"source_kind":"github","identifiers":["GHSA-j3w7-9qc3-g96p","CVE-2025-62713"],"repository_url":"https://github.com/kottster/kottster","blast_radius":1.0,"created_at":"2025-10-23T17:00:08.870Z","updated_at":"2026-04-05T18:01:52.787Z","epss_percentage":0.00974,"epss_percentile":0.76511,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qM3c3LTlxYzMtZzk2cM4ABNwB","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS1qM3c3LTlxYzMtZzk2cM4ABNwB","packages":[{"ecosystem":"npm","package_name":"@kottster/server","versions":[{"first_patched_version":"3.3.2","vulnerable_version_range":"\u003e= 3.2.0, \u003c 3.3.2"}],"purl":"pkg:npm/%40kottster%2Fserver"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qM3c3LTlxYzMtZzk2cM4ABNwB/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/@kottster/server","docker_dependents_count":null,"docker_downloads_count":null,"usage_url":"https://repos.ecosyste.ms/usage/npm/@kottster/server","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/@kottster/server/dependencies","status":null,"funding_links":[],"critical":null,"issue_metadata":null,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@kottster%2Fserver/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@kottster%2Fserver/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@kottster%2Fserver/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@kottster%2Fserver/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/@kottster%2Fserver/codemeta","maintainers":[{"uuid":"art7cf","login":"art7cf","name":null,"email":"arthur.mansuroff@gmail.com","url":null,"packages_count":13,"html_url":"https://www.npmjs.com/~art7cf","role":null,"created_at":"2024-07-22T14:05:15.972Z","updated_at":"2024-07-22T14:05:15.972Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/art7cf/packages"}]}