Wednesday, 27 September 2017 03:14

New Meteor vulnerability disclosed, urgent update recommended


Open-source web platform Meteor has disclosed a recently discovered vulnerability which can break MongoDB protections.

Meteor, the popular cross-platform JavaScript-based web application framework, has advised that Meteor developers should be urgently aware of a vulnerability that affects a commonly used application configuration and can grant access to user's private data or bypass other protections.

The vulnerability has been fixed, and existing applications should be patched urgently.

The vulnerability was discovered by a downstream project's bug bounty project, however, affects a common Meteor application configuration, particularly those using the attachSchema method from aldeed:collection2 aldeed:collection2-core, ongoworks:security or alanning:roles, that use allow or deny rules.

Specifically, by sending a specially-crafted WebSocket payload, malicious clients can execute update operations on individual MongoDB documents in violation of the collection's allow and deny rules when specific third-party packages are installed.

When the malicious WebSocket frame is evaluated against the developer-configured rules, it disables specific rules that would block the operation and thus allow execution.

This does not affect default Meteor configurations using Meteor's core packages, but becomes possible when commonly-used third-party packages listed above are also installed.

An application may be affected if it utilises a MongoDB collection's allow or deny methods to define collection-level rules and also uses any third party packages to enforce a schema on the same collection. This consideration applies whether the application uses the methods directly or the third-party manages the collection's rules on its behalf.

Only Mongo update operations for documents which a user was allowed to update are affected, but may permit updates to unexpected parts of that document. This becomes particularly relevant if an application has top-level properties to dictate a user's permission level, such as a field like "isAdmin".

The vulnerability has been fixed in the release of the allow-deny Meteor package version 1.0.9.

If you are not running Meteor 1.4, Meteor recommends you update now. Meteor versions prior to 1.4 use Node.js 0.10.x which is no longer supported by the Node foundation and may be subject to additional vulnerabilities.

If you are running Meteor 1.4 or later, Meteor recommends you update your application to use this package whether you believe your application is affected or not. You can do this by simply executing meteor update allow-deny. You should then verify it was successful by the command output, or through inspecting the .meteor/versions file.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.



Recent Comments