vulnerability

Mongo Express: CVE-2019-10758: Improper Control of Generation of Code

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:S/C:C/I:C/A:C)

Published

Dec 24, 2019

Added

Aug 14, 2025

Modified

Aug 14, 2025

Description

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

Solution

mongo-express-upgrade-latest

References

CVE-2019-10758
https://attackerkb.com/topics/CVE-2019-10758
https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215
CWE-94

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report