CVE-2019-10758

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to...

Basic Information

CVE State: PUBLISHED
Reserved Date: April 03, 2019
Published Date: December 24, 2019
Last Updated: February 07, 2025
Vendor: n/a
Product: mongo-express
Description: mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

CVSS Scores

SSVC Information

Exploitation: active
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2021-12-10 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2020-12-01 09:18:57 UTC) Source

References

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-12-10 00:00:00 UTC

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-10758.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

ossf-cve-benchmark/CVE-2019-10758

Type: github • Created: 2020-12-01 09:18:57 UTC • Stars: 1

lp008/CVE-2019-10758

Type: github • Created: 2020-01-05 14:05:56 UTC • Stars: 5

CVE-2019-10758

masahiro331/CVE-2019-10758

Type: github • Created: 2019-12-26 06:58:56 UTC • Stars: 111