CVE-2019-5413 – CVE-2019-5413 is a command injection vulnerabil... (How to Fix)

📋 TL;DR

CVE-2019-5413 is a command injection vulnerability in the morgan npm package that allows attackers to execute arbitrary commands on the server by manipulating the format parameter. This affects any application using morgan for HTTP request logging with versions below 1.9.1. The vulnerability can lead to complete system compromise.

💻 Affected Systems

Products:

morgan npm package

Versions: All versions < 1.9.1

Operating Systems: All operating systems running Node.js

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable when morgan is used with dynamic format strings from user input. Applications not using format parameter from untrusted sources may not be exploitable.

📦 What is this software?

Morgan by Morgan Project

View all CVEs affecting Morgan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete server takeover, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Arbitrary command execution allowing attackers to read sensitive files, modify application behavior, or establish persistence.

🟢

If Mitigated

Limited impact if proper input validation and sandboxing are implemented, potentially only causing denial of service.

🌐 Internet-Facing: HIGH - Web applications using morgan are typically internet-facing, making them directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface compared to internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward - attackers simply need to send malicious format parameter values. Multiple public proof-of-concept examples exist.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.1

Vendor Advisory: https://www.npmjs.com/advisories/534

Restart Required: Yes

Instructions:

1. Update morgan package: npm update morgan
2. Verify version is 1.9.1 or higher: npm list morgan
3. Restart the Node.js application
4. Test that logging functionality still works correctly

🔧 Temporary Workarounds

Input validation for format parameter

all

Implement strict input validation to ensure format parameter only contains allowed characters

// In your Express/Node.js application:
// Validate format parameter before passing to morgan
const allowedFormats = ['combined', 'common', 'dev', 'short', 'tiny'];
if (!allowedFormats.includes(req.query.format)) {
    // Reject or use default format
}

Use static format strings

all

Avoid using dynamic format strings from user input entirely

// Instead of: morgan(req.query.format)
// Use: morgan('combined') or other static format

🧯 If You Can't Patch

Implement strict input validation and sanitization for all user-provided format parameters
Use web application firewall (WAF) rules to block suspicious format parameter values containing shell metacharacters

🔍 How to Verify

Check if Vulnerable:

Check package.json or run: npm list morgan | grep morgan

Check Version:

npm list morgan | grep morgan

Verify Fix Applied:

Run: npm list morgan and verify version is 1.9.1 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual format parameter values in HTTP requests
Semicolons, backticks, or pipe characters in format parameters
Unexpected child process spawns from Node.js application

Network Indicators:

HTTP requests with suspicious format parameters containing shell metacharacters
Outbound connections from application server to unexpected destinations

SIEM Query:

source="web_logs" AND (format="*;*" OR format="*`*" OR format="*|*")

📊 Metadata

CVE ID: CVE-2019-5413

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: March 21, 2019

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-5413, you might also want to check these: