1.9.2
1.9.1
CVE-2019-5413 describes a critical code injection vulnerability affecting the morgan Node.js module. This vulnerability arises when user input is improperly handled within the module's filter or when combined with a prototype pollution attack, enabling attackers to execute arbitrary code. The vulnerability impacts versions of morgan released before 1.9.1, and a fix is available in version 1.9.1 and later.
The impact of CVE-2019-5413 is severe. An attacker who can control the input used in the morgan filter can inject arbitrary code into the Node.js process. This could lead to complete compromise of the server, including data exfiltration, modification, or deletion. The vulnerability is particularly concerning in applications that log user-supplied data, as this data could be manipulated to inject malicious payloads. Successful exploitation could allow an attacker to gain persistent access to the system, potentially moving laterally to other resources within the network. This vulnerability shares similarities with prototype pollution attacks, where attackers manipulate JavaScript object prototypes to alter application behavior.
CVE-2019-5413 was publicly disclosed on March 25, 2019. While no active exploitation campaigns have been definitively linked to this vulnerability, its critical severity and the ease of exploitation make it a potential target. There are publicly available proof-of-concept exploits demonstrating the code injection vulnerability. The vulnerability is not currently listed on the CISA KEV catalog, but its severity warrants careful attention and prompt remediation.
Applications built with Node.js that utilize the morgan module for logging, particularly those that allow user-supplied data to influence the logging format, are at risk. This includes web applications, APIs, and backend services. Shared hosting environments where users can influence application configuration are also particularly vulnerable.
• nodejs / server:
npm list morgan• nodejs / server:
npm audit• nodejs / server: Check package.json for morgan versions < 1.9.1. Review application code for usage of morgan's filter function with unsanitized user input.
disclosure
Exploit-Status
EPSS
1.95% (83% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-5413 is to upgrade the morgan module to version 1.9.1 or later. If upgrading immediately is not feasible due to compatibility issues or breaking changes, consider implementing input validation and sanitization on any user-supplied data used in the morgan filter. Strictly limit the characters allowed in the filter to prevent injection attempts. Web application firewalls (WAFs) configured to detect and block code injection attempts can provide an additional layer of defense. Monitor application logs for suspicious activity, such as unexpected code execution or unusual filter patterns. After upgrading, confirm the fix by attempting to inject a simple payload into the filter and verifying that it is properly sanitized.
Aktualisieren Sie das Paket morgan auf Version 1.9.1 oder höher. Dies behebt die Command Injection Vulnerabilität. Führen Sie `npm install morgan@latest` aus, um zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-5413 is a critical code injection vulnerability in the Morgan Node.js module, allowing attackers to execute arbitrary code through prototype pollution if user input is improperly handled.
You are affected if you are using a version of Morgan prior to 1.9.1 and your application allows user input to influence the logging format.
Upgrade the Morgan module to version 1.9.1 or later. If immediate upgrade is not possible, sanitize user input passed to the filter function.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and potential impact warrant immediate attention and remediation.
Refer to the Morgan project's repository and related security advisories for detailed information and updates: https://github.com/expressjs/morgan
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.