Skip to content

Remote Code Execution Vulnerability in NPM mongo-express

Critical severity GitHub Reviewed Published Dec 30, 2019 in mongo-express/mongo-express • Updated Sep 12, 2023

Package

npm mongo-express (npm)

Affected versions

< 0.54.0

Patched versions

0.54.0

Description

Impact

Remote code execution on the host machine by any authenticated user.

Proof Of Concept

Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator:

this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

Patches

Users should upgrade to version 0.54.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Snyk Security Advisory
CVE

For more information

If you have any questions or comments about this advisory:

Thanks

@JLLeitschuh for finding and reporting this vulnerability

References

@dozoisch dozoisch published to mongo-express/mongo-express Dec 30, 2019
Reviewed Dec 30, 2019
Published to the GitHub Advisory Database Dec 30, 2019
Last updated Sep 12, 2023

Severity

Critical
10.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2019-10758

GHSA ID

GHSA-h47j-hc6x-h3qq

Source code

No known source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.