CVE-2019-10758
unknown
KEV
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
1.5
Description
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
CISA KEV
- Vendor
- MongoDB
- Product
- mongo-express
- Due date
- 2022-06-10
Predictions
Exploit likelihood
99%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | mongo-express | <0.54.0 | 0.54.0 |
References
- https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
- https://nvd.nist.gov/vuln/detail/CVE-2019-10758
- https://github.com/mongo-express/mongo-express/pull/522
- https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494
- https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2
- https://github.com/mongo-express/mongo-express
- https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
- https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.