9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-17426

GHSA ID

GHSA-8687-vv9j-hgph

EPSS Score

0.46791%

CWE

CWE-20

Published

10/22/2019

Updated

11/29/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-17426

CVE-2019-17426:
Improper Input Validation in Automattic Mongoose

Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

(GitHub Advisory)

9.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-17426

GHSA ID

GHSA-8687-vv9j-hgph

EPSS Score

0.46791%

CWE

CWE-20

Published

10/22/2019

Updated

11/29/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
mongoose	npm	>= 5.0.0, < 5.7.5	5.7.5
mongoose	npm	< 4.13.21	4.13.21

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability was explicitly patched by modifying the cast function in lib/cast.js to delete _bsontype properties. This function is responsible for processing query objects, and the absence of _bsontype sanitization in vulnerable versions directly enabled the filter bypass. The commit diff and CVE description both specifically reference this file and the _bsontype handling as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*utom*tti* Mon*oos* t*rou** *.*.* *llows *tt**k*rs to *yp*ss ****ss *ontrol (in som* *ppli**tions) ****us* *ny qu*ry o*j**t wit* * `_*sontyp*` *ttri*ut* is i*nor**. *or *x*mpl*, ***in* `"_*sontyp*":"*"` **n som*tim*s int*r**r* wit* * qu*ry *ilt*r. NO

Reasoning

T** vuln*r**ility w*s *xpli*itly p*t**** *y mo*i*yin* t** **st *un*tion in li*/**st.js to **l*t* _*sontyp* prop*rti*s. T*is *un*tion is r*sponsi*l* *or pro**ssin* qu*ry o*j**ts, *n* t** **s*n** o* _*sontyp* s*nitiz*tion in vuln*r**l* v*rsions *ir**tl

9.1

Basic Information

Concerned about an active attack path?

CVE-2019-17426: Improper Input Validation in Automattic Mongoose

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-17426:
Improper Input Validation in Automattic Mongoose

Vulnerability Intelligence
Miggo AI