1.9.2
1.9.1
CVE-2019-5413 describes a critical code injection vulnerability affecting the morgan Node.js module. This vulnerability arises when user input is improperly handled within the module's filter or when combined with a prototype pollution attack, enabling attackers to execute arbitrary code. The vulnerability impacts versions of morgan released before 1.9.1, and a fix is available in version 1.9.1 and later.
The impact of CVE-2019-5413 is severe. An attacker who can inject code into a Node.js application using the vulnerable morgan module can gain complete control over the server. This could involve reading sensitive data, modifying application files, installing malware, or even pivoting to other systems on the network. The vulnerability's reliance on prototype pollution makes it particularly concerning, as this attack vector is often overlooked during security reviews. Successful exploitation could lead to a complete compromise of the affected system and potentially the entire infrastructure.
CVE-2019-5413 was publicly disclosed on March 25, 2019. While no active exploitation campaigns have been definitively linked to this vulnerability, the CRITICAL severity and the potential for remote code execution make it a high-priority concern. The vulnerability's reliance on prototype pollution, a technique that has seen increased attention in recent years, suggests that it could be targeted by attackers. No KEV listing is currently available.
Applications built with Node.js that utilize the morgan module for logging, particularly those that allow user-supplied data to influence the logging format, are at risk. This includes web applications, APIs, and backend services. Shared hosting environments where users can influence application configuration are also particularly vulnerable.
• nodejs / server:
npm list morgan• nodejs / server:
npm audit• nodejs / server: Check package.json for morgan versions < 1.9.1. Review application code for usage of morgan's filter function with unsanitized user input.
disclosure
エクスプロイト状況
EPSS
1.95% (83% パーセンタイル)
CVSS ベクトル
The primary mitigation for CVE-2019-5413 is to upgrade the morgan module to version 1.9.1 or later. If upgrading immediately is not feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by carefully sanitizing all user input that is passed to the morgan module's filter function. Strict input validation and escaping are crucial. Additionally, review your application's code for any potential prototype pollution vulnerabilities and implement appropriate safeguards. After upgrading, confirm the fix by attempting to inject code through the morgan filter and verifying that the injection is prevented.
morganパッケージをバージョン1.9.1以降にアップデートしてください。これにより、コマンドインジェクションの脆弱性が修正されます。`npm install morgan@latest`を実行してアップデートしてください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2019-5413 is a critical code injection vulnerability in the Morgan Node.js module, allowing attackers to execute arbitrary code through prototype pollution if user input is improperly handled.
You are affected if you are using a version of Morgan prior to 1.9.1 and your application allows user input to influence the logging format.
Upgrade the Morgan module to version 1.9.1 or later. If immediate upgrade is not possible, sanitize user input passed to the filter function.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and potential impact warrant immediate attention and remediation.
Refer to the Morgan project's repository and related security advisories for detailed information and updates: https://github.com/expressjs/morgan