Description
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
Remediation
References
https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
Related Vulnerabilities
CVE-2022-21724 Vulnerability in maven package org.postgresql:postgresql
CVE-2021-33623 Vulnerability in npm package trim-newlines
CVE-2024-36401 Vulnerability in maven package org.geoserver.web:gs-web-app
CVE-2020-8298 Vulnerability in npm package fs-path
CVE-2022-37199 Vulnerability in maven package com.jflyfox:jflyfox_jfinal