CVE-2019-10758

CVSS 9.9 CRITICALEPSS 84.8%● KEVCWE-94

In short

mongo-express versions before 0.54.0 allow attackers to execute arbitrary code on the server through unsafe use of the vm module. An attacker can send specially crafted requests to vulnerable endpoints that use the toBSON method to run commands with server privileges.

Technical detail

Remote Code Execution vulnerability in mongo-express <0.54.0 exploits unsafe vm.Script execution in toBSON endpoints. The vm module is used improperly to evaluate untrusted input, allowing an unauthenticated attacker to execute arbitrary system commands with the privileges of the mongo-express process.

Summary generated and translated by AI from the official description.

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

n/a · mongo-express

public PoCs found — 2

githubgithub.com/masahiro331/CVE-2019-10758★ 111 githubgithub.com/lp008/CVE-2019-10758★ 5

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758