GHSA-2c85-rfcc-g74j: Karate Mock Server RCE via embedded expression evaluation of request-derived data

Karate Mock Server can execute embedded expressions found in attacker-controlled HTTP request data when a Mock Server feature assigns request-derived values such as request, requestHeaders, or requestParams to variables.

In affected scenarios, an unauthenticated remote attacker can place a Karate embedded expression such as #(Java.type(...)) in the HTTP body, headers, or query parameters. The Mock Server then recursively processes that untrusted data as embedded expressions and evaluates it server-side, which can lead to arbitrary command execution under the privileges of the Karate Mock Server process.

This issue does not require the attacker to control the feature file. The vulnerable precondition is that the Mock Server feature uses request-derived data in a way that passes through Karate expression evaluation, for example:

* def body = request
* def hdrs = requestHeaders
* def params = requestParams