CVE-2019-10758

Name of the Vulnerable Software and Affected Versions mongo-express versions prior to 0.54.0

Description The issue is related to incorrect code generation management in the Mongo-express web interface for MongoDB database management. It allows a remote attacker to execute arbitrary code in the target system by sending a specially crafted request. The vulnerability is exploited via endpoints that use the toBSON method, which misuses the vm dependency to perform exec commands in a non-safe environment. This can lead to remote code execution on the host machine by any authenticated user.

Recommendations For versions prior to 0.54.0, upgrade to version 0.54.0 to resolve the issue. As a temporary workaround, consider restricting access to endpoints that use the toBSON method until the upgrade is applied. Avoid using the toBSON method in sensitive operations until the issue is resolved.