Rhino Security researchers have identified multiple critical vulnerabilities in Appsmith, an open-source developer platform commonly used for building internal applications. The most severe of these is CVE-2024-55963, which enables unauthenticated attackers to execute arbitrary system commands on servers running default installations of Appsmith versions 1.20 through 1.51.
Remote Code Execution as PostgreSQL User
Appsmith ships with a local PostgreSQL database for practice and learning purposes, but the researchers discovered a critical misconfiguration in its default setup. The PostgreSQL authentication configuration file (pg_hba.conf) allowed any local user to connect as any PostgreSQL user without needing a password.
The vulnerability became exploitable thanks to Appsmith’s default configuration permitting new user signups. Malefactors could register an account, create a workspace, add an application, and connect to the misconfigured database, and once connected, they could use PostgreSQL’s COPY FROM PROGRAM function to execute arbitrary system commands with the privileges of the PostgreSQL user.
Technical Exploitation Path
The researchers demonstrated a proof-of-concept exploit involving SQL commands that allowed malicious actors to:
- Create a temporary table.
- Execute Unix commands like cat to read system files.
- Retrieve results and remove evidence by dropping the table.
Two other significant vulnerabilities were also found:
- CVE-2024-55964: An Insecure Direct Object Reference (IDOR) flaw allowed users with minimal permissions to access SQL databases by exploiting predictable datasource IDs via the /api/v1/datasources/[datasource-id]/schema-preview API endpoint.
- CVE-2024-55965: A DoS vulnerability let users with limited permissions repeatedly restart applications through broken access controls in the restart API functionality.
Impact and Mitigation
These vulnerabilities put any firm using Appsmith at risk. CVE-2024-55963 is particularly critical as it allowed complete system compromise from an unauthenticated position. Threat actors could gain persistent access by registering accounts, creating workspaces, connecting to the database, and executing system commands.
Appsmith has worked with Rhino Security Labs to patch all three vulnerabilities:
- CVE-2024-55963: Fixed in version 1.52 by hardening PostgreSQL configurations and requiring password-based authentication.
- CVE-2024-55964: Addressed in version 1.49 by implementing proper role-based access controls.
- CVE-2024-55965: Resolved in version 1.48 through improved access control checks for restart functionality.
Entities are strongly advised to upgrade to version 1.52 or later immediately to mitigate these risks. Security researchers have also released technical analyses and detection tools, including Nuclei templates for scanning vulnerable instances.
Ship Faster, Build Smarter, Secure Everything
Mayur Upadhyaya, CEO of APIContext, says this vulnerability shines a light on delivery chain risk: “When an unauthenticated endpoint can connect to an unauthenticated database, it creates an open door for attackers. Think of it like a block of flats; just because someone gets into the building doesn’t mean they should have a key to every apartment. Yet in many default setups, every door is left unlocked. Appsmith, like many internal tools, is powerful but when shipped with insecure defaults, such as exposed local databases, it can unintentionally expand the attack surface.”
He says we’re asking a lot from developers today: ship faster, build smarter, and secure everything. “But without clear guardrails and automated visibility, mistakes happen. You can’t fix what you can’t see. In an API-first world, internal tools blur into external risk, making proactive testing for exposed PII and public endpoints a necessity, not a luxury.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
