Insomnia API Client Vulnerability Arbitrary Code Execution via Template Injection

A severe security vulnerability has been discovered in the widely-used Insomnia API Client that allows attackers to execute arbitrary code through malicious template injection.

The vulnerability, tracked as CVE-2025-1087 and assigned a critical CVSS score of 9.3, affects the popular API testing tool developed by Kong and remains exploitable in the latest version 11.2.0 despite multiple attempted patches.

The vulnerability exploits Insomnia’s Nunjucks templating engine, which is used to process environment variables and dynamic content within API requests.

Unlike traditional server-side template injection attacks, this client-side vulnerability can be triggered through two primary attack vectors: importing malicious collection files or sending HTTP requests to compromised servers that respond with crafted cookies containing template expressions.

Tantosec analysts Marcio Almeida and Justin Steven identified the vulnerability during routine API penetration testing and discovered that the issue poses significant risks to developers and security professionals who regularly import shared API collections or test against potentially malicious endpoints.

The researchers found that attackers can achieve remote code execution with minimal user interaction, requiring only that victims send two consecutive HTTP requests to a malicious server.

The discovery represents a particularly concerning development for the cybersecurity community, as Insomnia is frequently used by penetration testers and API developers who often work with untrusted data sources.

The vulnerability effectively turns a trusted security tool into a potential attack vector, highlighting the importance of securing development and testing environments.

Exploitation Mechanism Through Malicious Cookie Injection

The most insidious aspect of this vulnerability lies in its cookie-based exploitation method, which requires virtually no user interaction beyond normal API testing activities.

When Insomnia sends an HTTP request to a malicious server, the server can respond with a Set-Cookie header containing dangerous Nunjucks template expressions.

These expressions are automatically stored in Insomnia’s cookie jar and processed by the templating engine during subsequent requests.

The attack leverages JavaScript’s range.constructor method to escape the template sandbox and execute system commands.

A typical payload structure appears as: {{range.constructor("return require('child_process').execSync('command')")()}} where the template expression evaluates arbitrary JavaScript code within the Node.js environment.

When a victim sends a follow-up request to any server, the malicious cookie is rendered and the embedded command executes, allowing attackers to achieve full system compromise.

Kong’s development team has attempted multiple mitigations since the vulnerability was first reported, including blocking the string “require” and limiting available modules through a web worker sandbox.

However, each fix has been successfully bypassed by the researchers. The most recent bypass discovered by Tantosec uses the joiner.constructor method instead of range.constructor, demonstrating the persistent nature of template injection vulnerabilities when attempting to sanitize rather than eliminate the underlying unsafe functionality.

The vulnerability’s resilience against patches underscores the fundamental architectural challenge of safely implementing client-side templating with untrusted data.

Despite being first reported publicly in 2020, the issue remained unaddressed for years until Tantosec’s research elevated its severity by demonstrating remote exploitation capabilities.

Users are advised to avoid importing untrusted files, disable cookie functionality when possible, and carefully audit any template expressions before use until a comprehensive fix is implemented.

Are you from SOC/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. - Request 14-day free trial