CVE-2019-5413
Code Injection vulnerability in morgan (npm)
What is CVE-2019-5413 About?
This vulnerability affects `morgan` versions prior to 1.9.1, allowing for code injection. It can be exploited when user input is permitted in the filter function or combined with a Prototype Pollution attack. The impact is remote code execution, and its exploitability depends on specific application configurations.
Affected Software
Technical Details
The morgan middleware, in versions before 1.9.1, is vulnerable to code injection. This vulnerability manifests primarily under two conditions: first, if user-supplied input is directly incorporated into the filter function of morgan without proper sanitization, allowing arbitrary code to be executed. Second, and more commonly, it can be exploited when combined with a Prototype Pollution attack. In such a scenario, an attacker manipulates Object.prototype to inject malicious code which then is inadvertently executed by morgan's internal handling of logging options or formatting, particularly if the custom formatters or options are constructed from attacker-controlled data. This leads to the execution of arbitrary JavaScript code.
What is the Impact of CVE-2019-5413?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data manipulation, or denial-of-service conditions.
What is the Exploitability of CVE-2019-5413?
Exploitation of this code injection vulnerability in morgan is of moderate to high complexity. It requires specific conditions: either direct code injection via unsanitized user input into morgan's filter function or, more likely, a preceding Prototype Pollution vulnerability that an attacker can chain with morgan's internal logic. Authentication requirements depend on the preceding attack vector, i.e., whether the vulnerability allowing user input or Prototype Pollution is accessible to unauthenticated users. This is typically a remote attack, where the malicious payload is transmitted to the server. Prerequisites include the application using a vulnerable version of morgan and either directly integrating untrusted input into its configuration or being susceptible to a chainable Prototype Pollution attack. Applications dynamically generating morgan configurations based on user input are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| forse01 | Link | PoC for CVE-2019-5413 |
| forse01 | Link | PoC for CVE-2019-5413 |
What are the Available Fixes for CVE-2019-5413?
Available Upgrade Options
- morgan
- <1.9.1 → Upgrade to 1.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/390881
- https://osv.dev/vulnerability/GHSA-gwg9-rgvj-4h5j
- https://github.com/advisories/GHSA-gwg9-rgvj-4h5j
- https://www.npmjs.com/advisories/736
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/473.json
- https://nvd.nist.gov/vuln/detail/CVE-2019-5413
- https://hackerone.com/reports/390881
What are Similar Vulnerabilities to CVE-2019-5413?
Similar Vulnerabilities: CVE-2019-19919 , CVE-2019-10747 , CVE-2019-10795 , CVE-2020-28469 , CVE-2020-7713
