Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-2auc-8zsk-kqhg
Vulnerability ID VCID-2auc-8zsk-kqhg
Aliases CVE-2019-10758
GHSA-h47j-hc6x-h3qq
Summary mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.94352 https://api.first.org/data/v1/epss?cve=CVE-2019-10758
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-h47j-hc6x-h3qq
cvssv3.1 9.9 https://github.com/mongo-express/mongo-express
generic_textual CRITICAL https://github.com/mongo-express/mongo-express
cvssv3.1 9.9 https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
generic_textual CRITICAL https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
cvssv3.1 9.9 https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494
generic_textual CRITICAL https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494
cvssv3.1 9.9 https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2
generic_textual CRITICAL https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2
cvssv3.1 9.9 https://github.com/mongo-express/mongo-express/pull/522
generic_textual CRITICAL https://github.com/mongo-express/mongo-express/pull/522
cvssv3.1 9.9 https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
cvssv3.1_qr CRITICAL https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
generic_textual CRITICAL https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
cvssv3.1 9.9 https://nvd.nist.gov/vuln/detail/CVE-2019-10758
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2019-10758
cvssv3.1 9.9 https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
cvssv3.1 9.9 https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
generic_textual CRITICAL https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
ssvc Attend https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
cvssv3.1 9.9 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758
generic_textual CRITICAL https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2019-10758
https://github.com/mongo-express/mongo-express
https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494
https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2
https://github.com/mongo-express/mongo-express/pull/522
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758
CVE-2019-10758 https://nvd.nist.gov/vuln/detail/CVE-2019-10758
GHSA-h47j-hc6x-h3qq https://github.com/advisories/GHSA-h47j-hc6x-h3qq
GHSA-h47j-hc6x-h3qq https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
SNYK-JS-MONGOEXPRESS-473215 https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
Data source KEV
Date added Dec. 10, 2021
Description mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method.
Required action Apply updates per vendor instructions.
Due date June 10, 2022
Note 
https://nvd.nist.gov/vuln/detail/CVE-2019-10758
Ransomware campaign use Unknown
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/mongo-express/mongo-express
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/mongo-express/mongo-express/blob/ea02b364d43f179f191fc91fb9962efdb0843a8d/lib/bson.js#L60
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/mongo-express/mongo-express/commit/7d365141deadbd38fa961cd835ce68eab5731494
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/mongo-express/mongo-express/commit/d8c9bda46a204ecba1d35558452685cd0674e6f2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/mongo-express/mongo-express/pull/522
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/mongo-express/mongo-express/security/advisories/GHSA-h47j-hc6x-h3qq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-10758
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T12:54:06Z/ Found at https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10758
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.99961
EPSS Score 0.94352
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T17:35:19.580651+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2019/10xxx/CVE-2019-10758.json 38.6.0