mongo-express

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting mongo-expresspage 1 of 1

CVE-2019-10758CRITICALCVSS 9.9EG 9.9⚠ KEV✓ Fixed in 0.54.0
2019-12-24
mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.
CVE-2021-21422HIGHCVSS 8.1EG 8.1✓ Fixed in 1.0.0-alpha.4
2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, …
CVE-2021-23372MEDIUMCVSS 4.4EG 4.4
2021-04-13
All versions of package mongo-express are vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.
CVE-2023-52555MEDIUMCVSS 6.1EG 6.1
2024-03-01
In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.

Check whether mongo-express is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for mongo-express CVEs against the assets you own.

Start Free Scan →