I. Overview

It is officially disclosed that Mongo-Express before 0.54.0 is vulnerable to the RCE vulnerability (CVE-2019-10758). Mongo-Express is a web-based and lightweight MongoDB admin interface. With an affected version, any authenticated user can perform remote code execution. Attackers can exploit this vulnerability and the default account and password of Mongo-Express to construct malicious requests and initiate attacks, exposing the system to high risks.

Therefore, we kindly remind Mongo-Express users to arrange self-check and implement timely security hardening.

Reference links:

https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq

https://github.com/masahiro331/CVE-2019-10758/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Product

Affected Versions:

Mongo-Express versions earlier than 0.54.0

Secure Versions:

Mongo-Express 0.54.0 and later versions

IV. Vulnerability Handling

This vulnerability has been fixed in Mongo-Express 0.54.0. You are advised to upgrade mongo-express to 0.54.0 or a later secure version and set a strong password to prevent security risks caused by unauthorized or weak password access.

Mongo-Express GitHub address: https://github.com/mongo-express/mongo-express

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.