Karate Mock Server RCE via embedded expression evaluation of request-derived data
Karate Mock Server can execute embedded expressions found in attacker-controlled HTTP request data when a Mock Server feature assigns request-derived values such as request, requestHeaders, or requestParams to variables. In affected scenarios, an unauthenticated remote attacker can place a Karate embedded expression such as #(Java.type(…)) in the HTTP body, headers, or query parameters. The Mock Server then recursively processes that untrusted data as embedded expressions and evaluates it server-side, which …