CVE-2019-10758
Published: 24 December 2019
Summary
CVE-2019-10758 is a critical-severity Code Injection (CWE-94) vulnerability in Mongo-Express Project Mongo-Express. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
mongo-express versions prior to 0.54.0 contain a remote code execution vulnerability in endpoints that invoke the toBSON method. The flaw stems from unsafe use of the vm dependency, which permits execution of arbitrary commands outside a restricted context and is tracked under CWE-94.
An authenticated attacker with network access can supply crafted input to trigger command execution on the server. The vulnerability carries a CVSS 3.1 score of 9.9, reflecting low attack complexity, no user interaction, changed scope, and full compromise of confidentiality, integrity, and availability.
Public references list the issue in the CISA Known Exploited Vulnerabilities catalog, confirming observed exploitation in the wild and underscoring the need to upgrade to version 0.54.0 or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-0791
Vulnerability details
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
- CWE(s)
- KEV Date Added
- 10 December 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch that upgrades mongo-express to 0.54.0+ and eliminates the unsafe vm/toBSON code path.
Mandates validation and sanitization of all input reaching the toBSON endpoint so that attacker-supplied strings cannot be executed as commands.
Limits the privileges of the mongo-express process so that even a successful RCE yields only the minimal rights granted to that service account.