Platform
nodejs
Component
morgan
Fixed in
1.9.2
1.9.1
CVE-2019-5413 describes a critical code injection vulnerability affecting the morgan Node.js module. This vulnerability arises when user input is improperly handled within the module's filter or when combined with a prototype pollution attack, enabling attackers to execute arbitrary code. The vulnerability impacts versions of morgan released before 1.9.1, and a fix is available in version 1.9.1 and later.
The impact of CVE-2019-5413 is severe. An attacker who can inject code into a Node.js application using the vulnerable morgan module can gain complete control over the server. This could involve reading sensitive data, modifying application files, installing malware, or even pivoting to other systems on the network. The vulnerability's reliance on prototype pollution makes it particularly concerning, as this attack vector is often overlooked during security reviews. Successful exploitation could lead to a complete compromise of the affected system and potentially the entire infrastructure.
CVE-2019-5413 was publicly disclosed on March 25, 2019. While no active exploitation campaigns have been definitively linked to this vulnerability, the CRITICAL severity and the potential for remote code execution make it a high-priority concern. The vulnerability's reliance on prototype pollution, a technique that has seen increased attention in recent years, suggests that it could be targeted by attackers. No KEV listing is currently available.
Exploit Status
EPSS
1.95% (83% percentile)
CVSS Vector
The primary mitigation for CVE-2019-5413 is to upgrade the morgan module to version 1.9.1 or later. If upgrading immediately is not feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by carefully sanitizing all user input that is passed to the morgan module's filter function. Strict input validation and escaping are crucial. Additionally, review your application's code for any potential prototype pollution vulnerabilities and implement appropriate safeguards. After upgrading, confirm the fix by attempting to inject code through the morgan filter and verifying that the injection is prevented.
Update the morgan package to version 1.9.1 or later. This will correct the command injection vulnerability. Run `npm install morgan@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-5413 is a critical code injection vulnerability in the Morgan Node.js module, allowing attackers to execute arbitrary code through prototype pollution if user input is improperly handled.
You are affected if you are using a version of Morgan prior to 1.9.1 and your application allows user input to influence the logging format.
Upgrade the Morgan module to version 1.9.1 or later. If immediate upgrade is not possible, sanitize user input passed to the filter function.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and potential impact warrant immediate attention and remediation.
Refer to the Morgan project's repository and related security advisories for detailed information and updates: https://github.com/expressjs/morgan
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.