Miggo Logo

CVE-2021-23372: Denial of Service (DoS) in mongo-express

4.4

CVSS Score
3.1

Basic Information

EPSS Score
0.53372%
Published
10/6/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mongo-expressnpm<= 0.54.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs during CSV export of empty collections, which strongly implicates the collection export handler. The CWE-754 indicates missing checks for exceptional conditions - in this case, failing to handle empty dataset scenarios when generating CSV headers/content. While exact code isn't available, mongo-express's architecture suggests collection export logic resides in collection route handlers, and the error would manifest when trying to access document properties from an empty result set.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* p**k*** mon*o-*xpr*ss *r* vuln*r**l* to **ni*l o* S*rvi** (*oS) w**n *xportin* *n *mpty *oll**tion *s *SV, *u* to *n un**n*l** *x**ption, l***in* to * *r*s*.

Reasoning

T** vuln*r**ility o**urs *urin* *SV *xport o* *mpty *oll**tions, w*i** stron*ly impli**t*s t** *oll**tion *xport **n*l*r. T** *W*-*** in*i**t*s missin* ****ks *or *x**ption*l *on*itions - in t*is **s*, **ilin* to **n*l* *mpty **t*s*t s**n*rios w**n *