CVE-2019-10758

Description

### Impact Remote code execution on the host machine by any authenticated user. ### Proof Of Concept Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator: ```javascript this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator') ``` ### Patches Users should upgrade to version `0.54.0` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ ### For more information If you have any questions or comments about this advisory: * Open an issue in [example link to repo](http://example.com) * Email us at [example email address](mailto:example@example.com) #### Thanks @JLLeitschuh for finding and reporting this vulnerability This vulnerability has been [exploited](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758) in the wild.

How to fix CVE-2019-10758

To remediate CVE-2019-10758, upgrade the affected package to a fixed version below.

• —upgrade to 0.54.0 or later

Is CVE-2019-10758 being exploited?

Yes — CVE-2019-10758 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

• from 0, < 0.54.0

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10758
• PATCHgithub.com/mongo-express/mongo-express
• WEBgithub.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
• WEBgithub.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494