CVE-2019-17426
access control bypass vulnerability in mongoose (npm)

access control bypass No known exploit Fixable By Resolved Security

What is CVE-2019-17426 About?

Automattic Mongoose through 5.7.4 allows attackers to bypass access control in certain applications because query objects with a `_bsontype` attribute are ignored. This can prevent query filters from being applied, potentially exposing sensitive data or allowing unauthorized actions. Exploitation involves crafting query objects to specifically include the `_bsontype` attribute, leveraging a known issue in older `js-bson` versions.

Affected Software

  • mongoose
    • >5.0.0, <5.7.5
    • <4.13.21

Technical Details

This vulnerability in Mongoose (through version 5.7.4) is a form of access control bypass that arises from how Mongoose interacts with older versions of the js-bson parser (also known as mongodb/js-bson). The underlying issue is that the js-bson parser treats any object containing a _bsontype property as a special BSON type (e.g., an ObjectID, Date, or Buffer). Mongoose, in turn, fails to properly handle or 'work around' this special case. Consequently, if a query object provided to Mongoose contains a _bsontype attribute, Mongoose may ignore or misinterpret the entire query object or specific clauses within it. For example, a query like { _id: 'some_id', author: userId } might be intended to restrict access. If an attacker can introduce "_bsontype":"a" into the author field, the entire author filter might be ignored, effectively removing the access control mechanism and allowing the attacker to query or modify data indiscriminately, assuming they can control the input that forms the query object.

What is the Impact of CVE-2019-17426?

Successful exploitation may allow attackers to bypass intended access control mechanisms, leading to unauthorized data disclosure, modification, or other actions that should be restricted by application logic.

What is the Exploitability of CVE-2019-17426?

Exploitation of this access control bypass vulnerability requires an attacker to be able to supply input that forms part of a Mongoose query object, and specifically to embed a _bsontype attribute within that input. The attacker would likely need to understand the application's data model and how Mongoose queries are constructed. No authentication is explicitly stated as a prerequisite, but the ability to interact with data retrieval or modification endpoints is necessary. The attack is remote. The complexity is moderate, as it requires careful crafting of JSON or object payloads to trigger the _bsontype parsing issue. The primary prerequisite is that the application uses Mongoose of an affected version and, importantly, an older version of js-bson that exhibits this behavior, combined with application logic that relies on Mongoose query filters for access control. The likelihood of exploitation increases if untrusted client-side input is directly used to build Mongoose queries without thorough schema validation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2019-17426?

A Fix by Resolved Security Exists!
Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

This patch removes the _bsontype property from query objects before casting, preventing malicious users from exploiting the BSON library’s behavior of discarding filters containing a top-level _bsontype. This mitigates the risk of unintended query manipulation and privilege escalation described in CVE-2019-17426.

Available Upgrade Options

  • mongoose
    • <4.13.21 → Upgrade to 4.13.21
  • mongoose
    • >5.0.0, <5.7.5 → Upgrade to 5.7.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-17426?

Similar Vulnerabilities: CVE-2020-1510 , CVE-2021-23377 , CVE-2022-2900 , CVE-2023-26154 , CVE-2023-38035

All Rights reserved 2025
Privacy Policy