Vulnerability cyber

Kong

Jun 20, 2025 1 min read
Kong

A severe security vulnerability, tracked as CVE-2025-1087, has been discovered in the widely-used Insomnia API Client developed by Kong. This vulnerability allows attackers to execute arbitrary code through malicious template injection, posing significant risks to developers and security professionals. Despite multiple attempted patches, the vulnerability remains exploitable in the latest version 11.2.0. The issue highlights the importance of securing development and testing environments, as it effectively turns a trusted security tool into a potential attack vector.

Source: https://cybersecuritynews.com/insomnia-api-client-vulnerability-arbitrary-code-execution/

TPRM report: https://scoringcyber.rankiteo.com/company/konghq

"id": "kon301062025",
"linkid": "konghq",
"type": "Vulnerability",
"date": "6/2025",
"severity": "25",
"impact": "",
"explanation": "Attack without any consequences: Attack in which data is not compromised"
{'affected_entities': [{'industry': 'Technology',
                        'name': 'Kong',
                        'type': 'Software Development Company'}],
 'attack_vector': ['Importing malicious collection files',
                   'Sending HTTP requests to compromised servers'],
 'description': 'A severe security vulnerability has been discovered in the '
                'widely-used Insomnia API Client that allows attackers to '
                'execute arbitrary code through malicious template injection. '
                'The vulnerability, tracked as CVE-2025-1087 and assigned a '
                'critical CVSS score of 9.3, affects the popular API testing '
                'tool developed by Kong and remains exploitable in the latest '
                'version 11.2.0 despite multiple attempted patches. The '
                'vulnerability exploits Insomnia’s Nunjucks templating engine, '
                'which is used to process environment variables and dynamic '
                'content within API requests. Unlike traditional server-side '
                'template injection attacks, this client-side vulnerability '
                'can be triggered through two primary attack vectors: '
                'importing malicious collection files or sending HTTP requests '
                'to compromised servers that respond with crafted cookies '
                'containing template expressions.',
 'impact': {'systems_affected': 'Insomnia API Client'},
 'references': [{'source': 'Tantosec'}],
 'title': 'Critical Vulnerability in Insomnia API Client Allows Arbitrary Code '
          'Execution',
 'type': 'Template Injection',
 'vulnerability_exploited': 'CVE-2025-1087'}
Published by
Jeremy C
Jeremy C
You might also like
Vulnerability cyber

Apache

public 1 min read
A significant security vulnerability (CVE-2025-32896) was disclosed in Apache SeaTunnel, a widely used distributed data integration platform. This flaw allows…
Jeremy C Jeremy C
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.