CVE-2026-3992
Remote Injection Vulnerability in CodeGenieApp serverless-express Users Endpoint
Publication date: 2026-03-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| codegenieapp | serverless-express | to 4.17.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-707 | The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3992 is a property injection vulnerability in the CodeGenieApp serverless-express framework up to version 4.17.1, specifically affecting the /users endpoint. The vulnerability arises because the application accepts a JSON-formatted filter query parameter that is used to dynamically access object properties without validating the property names.
This lack of validation allows authenticated attackers to supply crafted JSON input that can access any property, including prototype chain properties like __proto__, constructor, and prototype. This enables attackers to enumerate database schema fields and inspect internal object structures.
The attack is network-based, requires authentication via a valid JWT token, and is low complexity since it only needs a crafted JSON payload in the filter parameter. The vulnerability is read-only and primarily leads to information disclosure.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can impact you by exposing sensitive internal information about the application's database schema and internal object properties. Attackers can use this information to perform reconnaissance on the system."}, {'type': 'paragraph', 'content': 'Although the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the disclosure of schema details can facilitate more targeted and potentially harmful attacks in the future.'}, {'type': 'paragraph', 'content': 'The impact on confidentiality is considered low to medium, as attackers gain insight into internal structures that are normally hidden.'}] [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and analyzing requests to the /users endpoint that include the filter query parameter with unusual or suspicious JSON payloads attempting to access prototype chain properties such as __proto__, constructor, or prototype.'}, {'type': 'paragraph', 'content': 'Detection methods include:'}, {'type': 'list_item', 'content': 'Monitoring API logs for repeated requests with varying filter property names indicative of schema enumeration attempts.'}, {'type': 'list_item', 'content': 'Adding logging for suspicious filter property usage to identify attempts to access dangerous or unexpected properties.'}, {'type': 'list_item', 'content': 'Implementing unit tests to enforce validation of allowed filter properties.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts could include using network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests to the /users endpoint and grep or jq to filter for suspicious filter parameters. For example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/users?filter='"}, {'type': 'list_item', 'content': "grep -i '__proto__' api_access.log"}, {'type': 'list_item', 'content': "jq '.filter | keys' captured_requests.json"}, {'type': 'paragraph', 'content': 'These commands help identify requests attempting to exploit the vulnerability by sending crafted filter parameters.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Implement an allowlist validation of permitted filter properties such as name, email, and userId to prevent access to unauthorized or dangerous properties.
- Explicitly block access to dangerous properties like __proto__, constructor, prototype, toString, and hasOwnProperty in the filter parameter processing.
- Use DynamoDB filter expressions with validated properties instead of directly accessing object properties based on user input.
- Add logging for suspicious filter property usage and implement rate limiting on the /users endpoint to prevent automated schema enumeration attacks.
- Remove or disable unused filter code in other endpoints to reduce the attack surface.
If possible, consider replacing the affected component with an alternative product or applying patches once available.