Back to KEVs

CVE-2019-10758

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to...

Basic Information

CVE State
PUBLISHED
Reserved Date
April 03, 2019
Published Date
December 24, 2019
Last Updated
July 30, 2025
Vendor
mongo-express
Product
mongo-express
Description
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
Tags
cisa nuclei_scanner nessus_scanner

CVSS Scores

CVSS v3.1

9.9 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2.0

9.0

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2021-12-10 00:00:00 UTC) Source
Proof of Concept Available
Yes (added 2020-12-01 09:18:57 UTC) Source

References

https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215

Known Exploited Vulnerability Information

Source Added Date
CISA 2021-12-10 00:00:00 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2019/CVE-2019-10758.yaml 2025-04-26 00:00:00 UTC
Nessus https://www.tenable.com/plugins/nessus/200501 2024-06-14 04:06:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

ossf-cve-benchmark/CVE-2019-10758

Type: github • Created: 2020-12-01 09:18:57 UTC • Stars: 1

lp008/CVE-2019-10758

Type: github • Created: 2020-01-05 14:05:56 UTC • Stars: 5

CVE-2019-10758

masahiro331/CVE-2019-10758

Type: github • Created: 2019-12-26 06:58:56 UTC • Stars: 111

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel

  • Detected by Nessus

  • Detected by Nuclei