Description

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

Remediation

References

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758

Related Vulnerabilities

CVE-2020-7684 Vulnerability in npm package rollup-plugin-serve

CVE-2023-45134 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2023-22899 Vulnerability in maven package net.lingala.zip4j:zip4j

CVE-2023-26134 Vulnerability in npm package git-commit-info

CVE-2022-28366 Vulnerability in maven package net.sourceforge.htmlunit:neko-htmlunit

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Tags

Exploit Third Party Advisory US Government Resource NVD-CWE-noinfo