Kottster Remote Code Execution Vulnerability in Development Mode

A remote code execution vulnerability has been identified in Kottster, a self-hosted Node.js admin panel, affecting versions 3.2.0 prior to 3.3.2. This vulnerability is present only in development mode and allows for pre-authentication remote code execution. The issue arises from the 'initApp' action, which can be called multiple times without proper checks, and the 'installPackagesForDataSource' action, which is vulnerable to command injection. Production deployments are not affected.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Kottster is running in development mode.

Reproduction

To reproduce this vulnerability, first, ensure that Kottster is running in development mode. Then, call the 'initApp' action to initialize the application. This action can be repeated without checks, allowing the creation of a new root admin account. Afterward, use the 'installPackagesForDataSource' action to execute arbitrary commands on the server.

Remediation

Users can update to Kottster version 3.3.2, which addresses this vulnerability. Instructions for updating are available on the Kottster GitHub repository.