On January 3, 2020, we monitored that mongo-express officially released the CVE-2019-10758 vulnerability warning, with a high vulnerability level. At present, the number of users of mongo-express should be more in the MongoDB admin management interface on Github. We judge that the vulnerability level is high and the harm/impact is large. It is recommended to mongo-express users to update in time to avoid hacking.
The affected version of this package is vulnerable to remote code execution (RCE) attacks through endpoints using the toBSON method. Abuse vm dependencies in non-secure environments to execute exec commands. The default username is admin and the password is pass.
mongo-express, versions 0.54.0 and older
mongo-express version 0.54.0 or higher.