CVE-2025-1087: Critical Template Injection in Insomnia API Client Enables Remote Code Execution - #CVE-2025-1087
A critical vulnerability, CVE-2025-1087, has been discovered in the Insomnia API Client, an open-source tool developed by Kong. This flaw, with a high CVSS score of 9.3, affects versions prior to 11.0.2 and stems from insufficient input validation when processing template strings. Exploiting this vulnerability allows attackers to execute arbitrary JavaScript code within the application, potentially compromising sensitive data and system integrity. The attack surface is significant due to Insomnia's support for various user input sources, which could be weaponized in shared projects or workspace exports. The vulnerability poses a severe security risk, especially if the application is running with elevated privileges. Users are strongly advised to update to version 11.0.2 or later to mitigate this critical security issue and protect their systems from potential attacks.