Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk3bWctM2NyNi0zeDRj
Remote Code Execution in mongodb-query-parser
Versions of mongodb-query-parser
prior to 2.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize queries, allowing attackers to execute arbitrary code in the system. Parsing the following payload executes touch test-file
:
'(function () { return (clearImmediate.constructor("return process;")()).mainModule.require("child_process").execSync("touch test-file").toString()})()'
Recommendation
Upgrade to version 2.0.0 or later.
Permalink: https://github.com/advisories/GHSA-97mg-3cr6-3x4cJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTk3bWctM2NyNi0zeDRj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-97mg-3cr6-3x4c
References: Blast Radius: 0.0
Affected Packages
npm:mongodb-query-parser
Dependent packages: 28Dependent repositories: 100
Downloads: 59,927 last month
Affected Version Ranges: < 2.0.0
Fixed in: 2.0.0
All affected versions: 0.0.1, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.2.0, 0.2.1, 0.2.2, 0.3.0, 0.3.1, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.7.0, 0.7.1, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0
All unaffected versions: 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.5.0, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 4.0.0, 4.0.2, 4.1.0, 4.1.1