CVE-2025-62713: Kottster app reinitialization can be re-triggered allowing command injection in development mode

October 23, 2025 (updated November 10, 2025)

Development mode only. Kottster contains a pre-authentication remote code execution (RCE) vulnerability when running in development mode.

The vulnerability combines two issues:

The initApp action can be called repeatedly without checking if the app is already initialized, allowing attackers to create a new root admin account and obtain a JWT token
The installPackagesForDataSource action uses unescaped command arguments, enabling command injection

An attacker with access to a locally running development instance can chain these vulnerabilities to:

Reinitialize the application and receive a JWT token for a new root account
Use this token to authenticate
Execute arbitrary system commands through installPackagesForDataSource

Production deployments were never affected.

References

Code Behaviors & Features

Detect and mitigate CVE-2025-62713 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →