Описание
Remote Code Execution in mongodb-query-parser
Versions of mongodb-query-parser prior to 2.0.0 are vulnerable to Remote Code Execution. The package fails to sanitize queries, allowing attackers to execute arbitrary code in the system. Parsing the following payload executes touch test-file:
'(function () { return (clearImmediate.constructor("return process;")()).mainModule.require("child_process").execSync("touch test-file").toString()})()'
Recommendation
Upgrade to version 2.0.0 or later.
Пакеты
Наименование
mongodb-query-parser
npm
Затронутые версииВерсия исправления
< 2.0.0
2.0.0