Skip to content

[GHSA-5mrr-rgp6-x4gr] Command Injection in marsdb#7914

Open
msh0625 wants to merge 1 commit into
msh0625/advisory-improvement-7914from
msh0625-GHSA-5mrr-rgp6-x4gr
Open

[GHSA-5mrr-rgp6-x4gr] Command Injection in marsdb#7914
msh0625 wants to merge 1 commit into
msh0625/advisory-improvement-7914from
msh0625-GHSA-5mrr-rgp6-x4gr

Conversation

@msh0625

@msh0625 msh0625 commented Jun 9, 2026

Copy link
Copy Markdown

Updates

  • Affected products
  • CVSS v3
  • CWEs
  • Description
  • References
  • Source code location
  • Summary

Comments
This improvement adds a verified Proof of Concept (PoC) demonstrating
Arbitrary Code Execution via the $where selector in marsdb.

Evidence:

  1. Vulnerable line confirmed at dist/DocumentMatcher.js:419
    selectorValue = Function('obj', 'return ' + selectorValue);
    User input is concatenated directly into Function() constructor
    with no sanitization.

  2. PoC verified on:

    • marsdb v0.6.10
    • Node.js v24.16.0 (ACE confirmed - arbitrary JS execution)
    • Node.js <= 18 (full RCE via require('child_process').execSync())

  3. Authentication bypass confirmed:
    $where: "1 === 1" matches all documents regardless of other
    query conditions.

  4. Repository has been archived since 2019 with no patch available.
    All versions (<=0.6.10) are affected.

Discovered and verified using vulnscope, an AI-assisted open source
vulnerability scanner: https://github.com/msh0625/vulnscope

Copilot stopped work on behalf of msh0625 due to an error June 9, 2026 01:25
Actor has insufficient permissions
@github-actions github-actions Bot changed the base branch from main to msh0625/advisory-improvement-7914 June 9, 2026 01:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@msh0625