CVE-2026-3992
Received Received - Intake
Remote Injection Vulnerability in CodeGenieApp serverless-express Users Endpoint

Publication date: 2026-03-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in CodeGenieApp serverless-express up to 4.17.1. This affects an unknown part of the file utils/dynamodb.ts of the component Users Endpoint. This manipulation of the argument filter causes injection. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3992
EUVD
EUVD-2026-11535
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
codegenieapp serverless-express to 4.17.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3992 is a property injection vulnerability in the CodeGenieApp serverless-express framework up to version 4.17.1, specifically affecting the /users endpoint. The vulnerability arises because the application accepts a JSON-formatted filter query parameter that is used to dynamically access object properties without validating the property names.

This lack of validation allows authenticated attackers to supply crafted JSON input that can access any property, including prototype chain properties like __proto__, constructor, and prototype. This enables attackers to enumerate database schema fields and inspect internal object structures.

The attack is network-based, requires authentication via a valid JWT token, and is low complexity since it only needs a crafted JSON payload in the filter parameter. The vulnerability is read-only and primarily leads to information disclosure.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can impact you by exposing sensitive internal information about the application's database schema and internal object properties. Attackers can use this information to perform reconnaissance on the system."}, {'type': 'paragraph', 'content': 'Although the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the disclosure of schema details can facilitate more targeted and potentially harmful attacks in the future.'}, {'type': 'paragraph', 'content': 'The impact on confidentiality is considered low to medium, as attackers gain insight into internal structures that are normally hidden.'}] [1, 2, 3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring and analyzing requests to the /users endpoint that include the filter query parameter with unusual or suspicious JSON payloads attempting to access prototype chain properties such as __proto__, constructor, or prototype.'}, {'type': 'paragraph', 'content': 'Detection methods include:'}, {'type': 'list_item', 'content': 'Monitoring API logs for repeated requests with varying filter property names indicative of schema enumeration attempts.'}, {'type': 'list_item', 'content': 'Adding logging for suspicious filter property usage to identify attempts to access dangerous or unexpected properties.'}, {'type': 'list_item', 'content': 'Implementing unit tests to enforce validation of allowed filter properties.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect exploitation attempts could include using network traffic inspection tools like tcpdump or Wireshark to capture HTTP requests to the /users endpoint and grep or jq to filter for suspicious filter parameters. For example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/users?filter='"}, {'type': 'list_item', 'content': "grep -i '__proto__' api_access.log"}, {'type': 'list_item', 'content': "jq '.filter | keys' captured_requests.json"}, {'type': 'paragraph', 'content': 'These commands help identify requests attempting to exploit the vulnerability by sending crafted filter parameters.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Implement an allowlist validation of permitted filter properties such as name, email, and userId to prevent access to unauthorized or dangerous properties.
  • Explicitly block access to dangerous properties like __proto__, constructor, prototype, toString, and hasOwnProperty in the filter parameter processing.
  • Use DynamoDB filter expressions with validated properties instead of directly accessing object properties based on user input.
  • Add logging for suspicious filter property usage and implement rate limiting on the /users endpoint to prevent automated schema enumeration attacks.
  • Remove or disable unused filter code in other endpoints to reduce the attack surface.

If possible, consider replacing the affected component with an alternative product or applying patches once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart