EXECUTIVE SUMMARY:
A critical vulnerability tracked as CVE-2025-1087 with a CVSS score of 9.3 affects Insomnia, Kong’s widely used open-source API client and could allow attackers to execute arbitrary code on user systems. This flaw, present in versions prior to 11.0.2 of the Insomnia Desktop Application, arises from inadequate input validation when rendering template strings, enabling JavaScript execution through specially crafted inputs. Given Insomnia’s broad input sources—including environment variables, template tags, and custom scripts—the vulnerability poses significant risk, potentially allowing access to sensitive data, unauthorized API modifications, and system compromise, particularly in environments with elevated privileges.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A critical vulnerability tracked as CVE-2025-1087 with a CVSS score of 9.3 affects Insomnia, Kong’s widely used open-source API client and could allow attackers to execute arbitrary code on user systems. This flaw, present in versions prior to 11.0.2 of the Insomnia Desktop Application, arises from inadequate input validation when rendering template strings, enabling JavaScript execution through specially crafted inputs. Given Insomnia’s broad input sources—including environment variables, template tags, and custom scripts—the vulnerability poses significant risk, potentially allowing access to sensitive data, unauthorized API modifications, and system compromise, particularly in environments with elevated privileges.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
[/emaillocker]