CVE-2019-10758

CRITICAL KEV NUCLEI

mongo-express < 0.54.0 - Remote Code Execution via toBSON Method

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-10758 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added December 10, 2021. EIP tracks 3 public exploits from researchers including masahiro331, lp008, dyeat. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2019-10758, a remote code execution vulnerability in mongo-express. The exploit leverages prototype pollution to execute arbitrary commands via a crafted BSON payload.

Description

mongo-express before 0.54.0 is vulnerable to Remote Code Execution via endpoints that uses the `toBSON` method. A misuse of the `vm` dependency to perform `exec` commands in a non-safe environment.

Exploits (3)

nomisec WORKING POC 111 stars
by masahiro331 · local
https://github.com/masahiro331/CVE-2019-10758

This repository contains a functional exploit for CVE-2019-10758, a remote code execution vulnerability in mongo-express. The exploit leverages prototype pollution to execute arbitrary commands via a crafted BSON payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: mongo-express version 0.53.0
Auth required
Prerequisites: Docker with MongoDB and mongo-express 0.53.0 running · Basic authentication credentials
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 5 stars
by lp008 · remote
https://github.com/lp008/CVE-2019-10758

This repository contains a functional exploit for CVE-2019-10758, a remote code execution vulnerability in mongo-express. The exploit uses prototype pollution to execute arbitrary commands via crafted POST requests, demonstrating a reverse shell payload.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: mongo-express (versions prior to 0.54.0)
No auth needed
Prerequisites: Network access to the vulnerable mongo-express instance · Ability to send crafted POST requests
devstral-2 · analyzed Feb 19, 2026 Full analysis →
github WORKING POC
by dyeat · pythonpoc
https://github.com/dyeat/cve-reproduction/tree/main/MongoDB/mongo-express/CVE-2019-10758

The repository contains a functional Python script that exploits CVE-2019-10758, a remote code execution vulnerability in mongo-express. The exploit sends a crafted payload to the '/checkValid' endpoint, leveraging server-side JavaScript evaluation to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: mongo-express 0.54.0 and prior
Auth required
Prerequisites: Target URL · Basic authentication credentials (admin:pass)
devstral-2 · analyzed May 22, 2026 Full analysis →

Nuclei Templates (1)

mongo-express Remote Code Execution
CRITICALby princechaddha
Shodan: http.title:"Mongo Express" || http.title:"mongo express"
FOFA: title="mongo express"

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-MONGOEXPRESS-473215

Scores

CVSS v3 9.9
EPSS 0.9435
EPSS Percentile 100.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2021-12-10
VulnCheck KEV 2020-11-06
InTheWild.io 2021-04-08
ENISA EUVD EUVD-2019-0791
CWE
CWE-94
Status published
Products (2)
mongo-express_project/mongo-express < 0.54.0
npm/mongo-express 0 - 0.54.0npm
Published Dec 24, 2019
KEV Added Dec 10, 2021
Tracked Since Feb 18, 2026