Advisories for Npm/Mongo-Express package

In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.

mongo-express is a web-based MongoDB admin interface, written with Node.js and express.

Mongo-express is vulnerable to Denial of Service (DoS) when exporting an empty collection as CSV, due to an unhandled exception, leading to a crash.

mongo-express offers support for certain advanced syntax but implements this in an unsafe way

mongo-express is vulnerable to Remote Code Execution via endpoints that uses the toBSON method. A misuse of the vm dependency to perform exec commands in a non-safe environment.