CVE-2021-23372: Denial of Service (DoS) in mongo-express
4.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.53372%
CWE
Published
10/6/2021
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
mongo-express | npm | <= 0.54.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability occurs during CSV export of empty collections, which strongly implicates the collection export handler. The CWE-754 indicates missing checks for exceptional conditions - in this case, failing to handle empty dataset scenarios when generating CSV headers/content. While exact code isn't available, mongo-express
's architecture suggests collection export logic resides in collection
route handlers, and the error would manifest when trying to access document properties from an empty result set.