2025-09-27 –, Main Track
Insomnia by Kong is a popular API client, especially among developers and security testers. Marcio and Justin discovered a critical template injection vulnerability (CVE-2025-1087) in Insomnia, exposing users to remote command execution with just a couple of requests to a malicious HTTP server.
They will walk you through the story in how they stumbled upon the initial "weird behaviour" during a routine API penetration test, examine Insomnia's templating implementation, dive into exotic Nunjucks template injection, dissect their exploitation strategy, and show you how they bypassed several attempted patches by the vendor. They'll close with some thoughts on the disclosure and patching experience, discuss the fragility of quick-fix sanitisation-based mitigations, explore the challenges of bug triage in the real world, and consider how decisions made during software development can lead to trouble down the road.
Marcio Almeida is one of the Co-Founders and the Director of Technical Services at Tanto Security. He has worked in cyber security for over 15 years and has experience with Penetration Testing, Code Review, Exploit Development, Secure Development, DevSecOps and Red Team Operations.
Justin is a seasoned computer security professional with 13 years of experience across Incident Response and Software Security. As Tanto Security's Head of Research, Justin fosters the curiosity and ingenuity of our consultants, supporting them as they engage in their own research projects.