CVE-2019-5413
Code Injection vulnerability in morgan
What is CVE-2019-5413 About?
This vulnerability affects `morgan` versions prior to 1.9.1, allowing for code injection. It can be exploited when user input is permitted in the filter function or combined with a Prototype Pollution attack. The impact is remote code execution, and its exploitability depends on specific application configurations.
Affected Software
Technical Details
The `morgan` middleware, in versions before 1.9.1, is vulnerable to code injection. This vulnerability manifests primarily under two conditions: first, if user-supplied input is directly incorporated into the filter function of `morgan` without proper sanitization, allowing arbitrary code to be executed. Second, and more commonly, it can be exploited when combined with a Prototype Pollution attack. In such a scenario, an attacker manipulates `Object.prototype` to inject malicious code which then is inadvertently executed by `morgan`'s internal handling of logging options or formatting, particularly if the custom formatters or options are constructed from attacker-controlled data. This leads to the execution of arbitrary JavaScript code.
What is the Impact of CVE-2019-5413?
Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data manipulation, or denial-of-service conditions.
What is the Exploitability of CVE-2019-5413?
Exploitation of this code injection vulnerability in `morgan` is of moderate to high complexity. It requires specific conditions: either direct code injection via unsanitized user input into `morgan`'s filter function or, more likely, a preceding Prototype Pollution vulnerability that an attacker can chain with `morgan`'s internal logic. Authentication requirements depend on the preceding attack vector, i.e., whether the vulnerability allowing user input or Prototype Pollution is accessible to unauthenticated users. This is typically a remote attack, where the malicious payload is transmitted to the server. Prerequisites include the application using a vulnerable version of `morgan` and either directly integrating untrusted input into its configuration or being susceptible to a chainable Prototype Pollution attack. Applications dynamically generating `morgan` configurations based on user input are at higher risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| forse01 | Link | PoC for CVE-2019-5413 |
| forse01 | Link | PoC for CVE-2019-5413 |
What are the Available Fixes for CVE-2019-5413?
Available Upgrade Options
- morgan
- <1.9.1 → Upgrade to 1.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://hackerone.com/reports/390881
- https://osv.dev/vulnerability/GHSA-gwg9-rgvj-4h5j
- https://github.com/advisories/GHSA-gwg9-rgvj-4h5j
- https://www.npmjs.com/advisories/736
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E
- https://github.com/nodejs/security-wg/blob/master/vuln/npm/473.json
- https://nvd.nist.gov/vuln/detail/CVE-2019-5413
- https://hackerone.com/reports/390881
What are Similar Vulnerabilities to CVE-2019-5413?
Similar Vulnerabilities: CVE-2019-19919 , CVE-2019-10747 , CVE-2019-10795 , CVE-2020-28469 , CVE-2020-7713
