Home

Description

Kottster is a self hosted Node.js admin panel. From versions 3.2.0 to before 3.3.2, Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode. This affects development mode only, production deployments were never affected. This issue has been fixed in version 3.3.2.

PUBLISHED Reserved 2025-10-20 | Published 2025-10-23 | Updated 2025-10-23 | Assigner GitHub_M




HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

Problem types

CWE-284: Improper Access Control

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

>= 3.2.0, < 3.3.2
affected

References

github.com/...ttster/security/advisories/GHSA-j3w7-9qc3-g96p

github.com/...ommit/0a7d24922a23aac98372155348787670937eef89

cve.org (CVE-2025-62713)

nvd.nist.gov (CVE-2025-62713)

Download JSON