Login Sign Up

CVE-2020-24391

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-24391 is a critical vulnerability in mongo-express web-based MongoDB admin interface that allows remote code execution through unsafe parsing of advanced query syntax. This affects all mongo-express deployments before version 1.0.0. Attackers can execute arbitrary commands on the server hosting mongo-express.

💻 Affected Systems

Products:
  • mongo-express
Versions: All versions before 1.0.0
Operating Systems: All operating systems running mongo-express
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using vulnerable versions are affected regardless of configuration. The vulnerability is in the query parser functionality.

📦 What is this software?

Mongo Express by Mongo Express Project

View all CVEs affecting Mongo Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attacker to execute arbitrary system commands, access/modify all MongoDB data, pivot to other systems, and establish persistent backdoors.

🟠

Likely Case

Remote code execution leading to data theft, database manipulation, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact if mongo-express is isolated, network-restricted, and running with minimal privileges.

🌐 Internet-Facing: HIGH - CVSS 9.8 indicates critical risk for internet-facing instances, allowing unauthenticated remote exploitation.
🏢 Internal Only: HIGH - Even internal instances are vulnerable to authenticated or network-accessible attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward using specially crafted queries. Public proof-of-concept code exists and the vulnerability is similar to CVE-2019-10769.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0 and later

Vendor Advisory: https://github.com/mongo-express/mongo-express/commit/3a26b079e7821e0e209c3ee0cc2ae15ad467b91a

Restart Required: Yes

Instructions:

1. Update mongo-express to version 1.0.0 or later using npm: 'npm update mongo-express' 2. Restart the mongo-express service 3. Verify the update with 'npm list mongo-express'

🔧 Temporary Workarounds

Disable mongo-express

linux

Completely disable mongo-express if not required for operations

sudo systemctl stop mongo-express
sudo systemctl disable mongo-express

Network isolation

linux

Restrict network access to mongo-express using firewall rules

sudo iptables -A INPUT -p tcp --dport 8081 -s trusted_ip -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8081 -j DROP

🧯 If You Can't Patch

  • Immediately restrict network access to mongo-express using firewall rules to allow only trusted IP addresses
  • Run mongo-express with minimal privileges using a non-root user and container isolation if possible

🔍 How to Verify

Check if Vulnerable:

Check mongo-express version: 'npm list mongo-express' or check package.json for version <1.0.0

Check Version:

npm list mongo-express | grep mongo-express

Verify Fix Applied:

Verify version is 1.0.0 or later: 'npm list mongo-express | grep mongo-express' should show version >=1.0.0

📡 Detection & Monitoring

Log Indicators:

  • Unusual query patterns in mongo-express logs
  • System command execution attempts
  • Error messages related to query parsing

Network Indicators:

  • Unusual HTTP requests to mongo-express query endpoints
  • Outbound connections from mongo-express server to unexpected destinations

SIEM Query:

source="mongo-express" AND ("query" OR "parse" OR "eval") AND (error OR exception OR "malformed")

📊 Metadata

CVE ID: CVE-2020-24391
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: March 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON