CVE-2025-1087

Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript execution in the context of the application.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Kong/insomnia
https://tantosec.com/blog/2025/06/insomnia-api-client-template-injection/

Configurations

No configuration.

History

17 Sep 2025, 14:15

Type	Values Removed	Values Added
References		() https://tantosec.com/blog/2025/06/insomnia-api-client-template-injection/ -

12 May 2025, 17:32

Type	Values Removed	Values Added
Summary		(es) Kong Insomnia Desktop Application anterior a la versión 11.0.2 contiene una vulnerabilidad de inyección de plantillas que permite a los atacantes ejecutar código arbitrario. Esta vulnerabilidad se debe a una validación insuficiente de la entrada proporcionada por el usuario al procesar cadenas de plantilla, lo que puede provocar la ejecución arbitraria de JavaScript en el contexto de la aplicación.

09 May 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-09 12:15

Updated : 2025-09-17 14:15

NVD link : CVE-2025-1087

Mitre link : CVE-2025-1087

CVE.ORG link : CVE-2025-1087

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2025-1087", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "02762ae7-200e-4b20-9b2b-a77d5b8fc4cb", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-09T12:15:32.913", "references": [{"url": "https://github.com/Kong/insomnia", "source": "02762ae7-200e-4b20-9b2b-a77d5b8fc4cb"}, {"url": "https://tantosec.com/blog/2025/06/insomnia-api-client-template-injection/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "02762ae7-200e-4b20-9b2b-a77d5b8fc4cb", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript execution in the context of the application."}, {"lang": "es", "value": "Kong Insomnia Desktop Application anterior a la versi\u00f3n 11.0.2 contiene una vulnerabilidad de inyecci\u00f3n de plantillas que permite a los atacantes ejecutar c\u00f3digo arbitrario. Esta vulnerabilidad se debe a una validaci\u00f3n insuficiente de la entrada proporcionada por el usuario al procesar cadenas de plantilla, lo que puede provocar la ejecuci\u00f3n arbitraria de JavaScript en el contexto de la aplicaci\u00f3n."}], "lastModified": "2025-09-17T14:15:37.177", "sourceIdentifier": "02762ae7-200e-4b20-9b2b-a77d5b8fc4cb"}