A critical vulnerability in Kongβs popular open-source API client, Insomnia, could allow attackers to execute arbitrary code on affected systems, according to the latest disclosure tracked as CVE-2025-1087. With a CVSS score of 9.3, the flaw presents a significant risk to developers, testers, and DevOps teams relying on Insomnia for interacting with REST, GraphQL, WebSocket, SSE, and gRPC endpoints.
Insomnia, which has over 36,000 stars on GitHub, is widely adopted by the API development community for its flexibility, cross-platform support, and extensibility.
The issue impacts Insomnia Desktop Application versions prior to 11.0.2, and stems from insufficient input validation when rendering template strings. Attackers can exploit this flaw by injecting specially crafted templates that are evaluated within the applicationβs JavaScript contextβleading to arbitrary code execution on the userβs machine.
βThe vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript execution in the context of the application,β explains the CVE entry
The attack surface is especially concerning because Insomnia supports a broad range of user input sourcesβenvironment variables, template tags, and custom scriptsβwhich could be weaponized in a malicious workspace export or shared project.
If exploited, CVE-2025-1087 could enable an attacker to:
Execute arbitrary JavaScript within the applicationAccess sensitive environment variablesPerform lateral movement by modifying API requestsPotentially compromise system integrity, especially if running with elevated privilegesThis vulnerability qualifies as a template injection flaw, a class of vulnerabilities where user-controlled input is evaluated as code by the underlying rendering engine.
Users are strongly advised to update to version 11.0.2 or later to mitigate this critical security risk.