CVE-2019-10758 - OpenCVE

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

This CVE is in the KEV database since Dec. 10, 2021.

Exploitation active

Automatable no

Technical Impact total

Vendors	Products
Mongo-express Project	Mongo-express

Configuration 1 [-]

cpe:2.3:a:mongo-express_project:mongo-express:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215

History

Fri, 07 Feb 2025 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		kev `{'dateAdded': '2021-12-10'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2019-12-24T21:08:36.000Z

Updated: 2025-07-30T01:45:51.616Z

Reserved: 2019-04-03T00:00:00.000Z

Link: CVE-2019-10758

Vulnrichment

Updated: 2024-08-04T22:32:01.669Z

NVD

Status : Analyzed

Published: 2019-12-24T22:15:11.183

Modified: 2025-03-13T17:27:28.000

Link: CVE-2019-10758

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "mongo-express", "vendor": "n/a", "versions": [{"status": "affected", "version": "All versions prior to version 0.54.0"}]}], "descriptions": [{"lang": "en", "value": "mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment."}], "problemTypes": [{"descriptions": [{"description": "Remote Code Execution", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-24T21:08:36.000Z", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "ID": "CVE-2019-10758", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "mongo-express", "version": {"version_data": [{"version_value": "All versions prior to version 0.54.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote Code Execution"}]}]}, "references": {"reference_data": [{"name": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215", "refsource": "MISC", "url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:32:01.669Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215"}]}, {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2019-10758", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T12:54:06.964168Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-12-10", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "timeline": [{"time": "2021-12-10T00:00:00+00:00", "lang": "en", "value": "CVE-2019-10758 added to CISA KEV"}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-30T01:45:51.616Z"}}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2019-10758", "datePublished": "2019-12-24T21:08:36.000Z", "dateReserved": "2019-04-03T00:00:00.000Z", "dateUpdated": "2025-07-30T01:45:51.616Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:32:01.669Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2019-10758", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-07T12:54:06.964168Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2021-12-10", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2019-10758"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-07T12:53:55.997Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "mongo-express", "versions": [{"status": "affected", "version": "All versions prior to version 0.54.0"}]}], "references": [{"url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Remote Code Execution"}]}], "providerMetadata": {"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk", "dateUpdated": "2019-12-24T21:08:36.000Z"}, "x_legacyV4Record": {"affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "All versions prior to version 0.54.0"}]}, "product_name": "mongo-express"}]}, "vendor_name": "n/a"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215", "name": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote Code Execution"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2019-10758", "STATE": "PUBLIC", "ASSIGNER": "report@snyk.io"}}}}, "cveMetadata": {"cveId": "CVE-2019-10758", "state": "PUBLISHED", "dateUpdated": "2025-02-07T12:54:38.386Z", "dateReserved": "2019-04-03T00:00:00.000Z", "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "datePublished": "2019-12-24T21:08:36.000Z", "assignerShortName": "snyk"}, "dataVersion": "5.1"}

{"cisaActionDue": "2022-06-10", "cisaExploitAdd": "2021-12-10", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "MongoDB mongo-express Remote Code Execution Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mongo-express_project:mongo-express:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D34EBF59-DF06-4A25-8D83-1F74D5C9AC35", "versionEndExcluding": "0.54.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment."}, {"lang": "es", "value": "mongo-express versiones anteriores a 0.54.0, es vulnerable a una ejecuci\u00f3n de c\u00f3digo remota por medio de endpoints que utilizan el m\u00e9todo \"toBSON\". Un uso inapropiado de la dependencia \"vm\" para ejecutar comandos \"exec\" en un entorno no seguro."}], "id": "CVE-2019-10758", "lastModified": "2025-03-13T17:27:28.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2019-12-24T22:15:11.183", "references": [{"source": "report@snyk.io", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}