CVE-2019-10758
CRITICAL9.9⚠ KEVEPSS 94.4%Remote Code Execution Vulnerability in NPM mongo-express
Description
### Impact Remote code execution on the host machine by any authenticated user. ### Proof Of Concept Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator: ```javascript this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator') ``` ### Patches Users should upgrade to version `0.54.0` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### For more information If you have any questions or comments about this advisory: * Open an issue in [example link to repo](http://example.com) * Email us at [example email address](mailto:[email protected]) #### Thanks @JLLeitschuh for finding and reporting this vulnerability This vulnerability has been [exploited](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758) in the wild.
Affected packages (1)
- npm/mongo-expressfrom 0, < 0.54.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10758
- PATCHhttps://github.com/mongo-express/mongo-express
- WEBhttps://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
- WEBhttps://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494
- WEBhttps://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2
- WEBhttps://github.com/mongo-express/mongo-express/pull/522
- WEBhttps://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
- WEBhttps://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
- WEBhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758