10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10758

GHSA ID

GHSA-h47j-hc6x-h3qq

EPSS Score

0.99954%

CWE

CWE-78

Published

12/30/2019

Updated

2/7/2025

KEV Status

Yes

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10758

CVE-2019-10758: Remote Code Execution Vulnerability in NPM mongo-express

Impact

Remote code execution on the host machine by any authenticated user.

Proof Of Concept

Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator:

this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')

Patches

Users should upgrade to version 0.54.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Snyk Security Advisory CVE

For more information

If you have any questions or comments about this advisory:

Open an issue in example link to repo
Email us at example email address

Thanks

@JLLeitschuh for finding and reporting this vulnerability

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10758

GHSA ID

GHSA-h47j-hc6x-h3qq

EPSS Score

0.99954%

CWE

CWE-78

Published

12/30/2019

Updated

2/7/2025

KEV Status

Yes

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mongo-express	npm	< 0.54.0	0.54.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unsafe usage of Node.js' vm module in the BSON parsing logic. The proof-of-concept demonstrates attacker-controlled input reaching the vm context, enabling access to process.mainModule.require(). The commit diff shows replacement of vm-based parsing with mongodb-query-parser in lib/bson.js, and Snyk's advisory explicitly mentions 'endpoints that use the toBSON method' as the attack vector. The combination of direct code execution evidence and patching strategy confirms toBSON's role.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t R*mot* *o** *x**ution on t** *ost m***in* *y *ny *ut**nti**t** us*r. ### Proo* O* *on**pt L*un**in* mon*o-*xpr*ss on * M**, p*stin* t** *ollowin* into t** "*r**t* in**x" *i*l* will pop op*n t** M** **l*ul*tor: ```j*v*s*ript t*is.*onstr

Reasoning

T** vuln*r**ility st*ms *rom uns*** us*** o* No**.js' `vm` mo*ul* in t** *SON p*rsin* lo*i*. T** proo*-o*-*on**pt **monstr*t*s *tt**k*r-*ontroll** input r****in* t** `vm` *ont*xt, *n**lin* ****ss to `pro**ss.m*inMo*ul*.r*quir*()`. T** *ommit *i** s*o

10

Basic Information

Concerned about an active attack path?

CVE-2019-10758: Remote Code Execution Vulnerability in NPM mongo-express

Impact

Proof Of Concept

Patches

Workarounds

References

For more information

Thanks

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI