Cyber Resilience

CVE-2019-10758

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 24 December 2019

Published
24 December 2019
Modified
27 October 2025
KEV Added
10 December 2021
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9435 100.0th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-10758 is a critical-severity Code Injection (CWE-94) vulnerability in Mongo-Express Project Mongo-Express. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

mongo-express versions prior to 0.54.0 contain a remote code execution vulnerability in endpoints that invoke the toBSON method. The flaw stems from unsafe use of the vm dependency, which permits execution of arbitrary commands outside a restricted context and is tracked under CWE-94.

An authenticated attacker with network access can supply crafted input to trigger command execution on the server. The vulnerability carries a CVSS 3.1 score of 9.9, reflecting low attack complexity, no user interaction, changed scope, and full compromise of confidentiality, integrity, and availability.

Public references list the issue in the CISA Known Exploited Vulnerabilities catalog, confirming observed exploitation in the wild and underscoring the need to upgrade to version 0.54.0 or later.

EU & UK References

Vulnerability details

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

CWE(s)
KEV Date Added
10 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mongo-express project
mongo-express
≤ 0.54.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patch that upgrades mongo-express to 0.54.0+ and eliminates the unsafe vm/toBSON code path.

prevent

Mandates validation and sanitization of all input reaching the toBSON endpoint so that attacker-supplied strings cannot be executed as commands.

prevent

Limits the privileges of the mongo-express process so that even a successful RCE yields only the minimal rights granted to that service account.

References