Full Stack Blues: Exploring Vulnerabilities In The MEAN Stack

Posted by UpGuard

MEAN StackFull stack development is all the rage these days, and for good reason: developers with both front-end web development skills and back-end/server coding prowess clearly offer substantially more value to their respective organizations. The ability to traverse the entire stack competently also makes interacting and cooperating with operations and security an easier affaira key tenet of DevOps culture.

That said, the full stack approachdespite its meritsrequires developers to make critical considerations that they wouldn’t have previously, especially when it comes to security and testing. For example, in the past dedicated DBAs or systems administrators might be tasked with validating database security or hardening underlying systems. For full stack developers, these tasks are now open gamesubsequently, an overall shift in mindset towards security is necessary for safely developing and delivering software continuously.

Having deep exposure into all layers of the stack puts full stack developers in the front seat for maintaining the application’s security posture. It’s therefore critical that risks and security implications of each constituent technology are fully understood. As a representative example, the MEAN stack is a popular full stack framework streamlined for performance: MongoDB, Express.JS, Angular.JS, and Node.JS. Because all layers of the stack are written in JavaScript, developers need only write application codefront to back, client to serverin JavaScript. And since these developers are also now on the hook for delivering secure web applications, they must also address vulnerabilities and validate all layers of the application for security. But how vulnerable is each layer to being compromised? Let’s take a cursory look inside the MEAN stack to find out.

Free DevOps and Security eBooks


MongoDB is a JavaScript-friendly, document-oriented NoSQL database that competes with the likes of Cassandra and HBase. In general, for most purposesMongoDB can be largely used in the same manner as MySQL. Check out our MongoDB vs. MySQL comparison for a full comparison of the two technologies.

A common misconception is that MongoDB is immune to SQL injection-type attacks. While it’s true that MongoDB is not susceptible to SQL language abuses, its JSON documents can still be altered to achieve the same malicious results. Furthermore, MongoDB has had its own share of vulnerabilitiesfor example, a recently discovered widespread vulnerability gives hackers the ability to remotely crash the database application. Additionally, perusing the Common Vulnerabilities and Exposures (CVE) database reveals a host of security exposures and vulnerabilities for MongoDB.



Express.JS is a server-side web and mobile application framework for Node.JS, similar to what Ruby-on-Rails or Sinatra is to the Ruby language. The framework builds upon Node.JS to provide standard components to streamline development, and is in fact the most widely-used Node.js framework today. Unfortunately, the framework is vulnerable to various injection and cross-site attacks and is susceptible to all of Node.js’s underlying vulnerabilities. The Express.JS site maintains an updated list of vulnerabilities and fixes per version.


Developed and maintained by Google, Angular.js is a front-end MVC framework that enables modular client-side development with minimal code. The framework is vulnerable to various cross-site scripting attacksa full list of Angular.js vulnerabilities is available at Mustache Security’s project home on Google Code.


Node.js enables the building of web applications with extensive server-side and networking capabilities and enables real-time two-way communications between the client and server.  Based on Google’s V8 Javascript engine, Node.js is popular for creating HTTP web servers on the fly. Arguably the defining component of the MEAN stack, Node.js is not without its own vulnerabilitiesnot only does it inherit all JavaScript-related vulnerabilities, but also gains some new attack vectors while executing on the server side. The CVE database also houses a comprehensive list of Node.JS vulnerabilities.

In short, full stack development may be the embodiment of DevOps, but it nonetheless requires strict adherence to secure application development practices. The MEAN stack, and any stack for that matter—be it LAMP or .NETrequires proper controls for ensuring that security is baked at all phases of development. To this end, UpGuard provides comprehensive vulnerability assessment and monitoring for web applications, databases, serversregardless of which stack is in use, our platform can scan and validate every layer.

Who wants an external scan?

More Blogs

The "Hacking" Of 000webhost—Or Why Free Should Never Be Synonymous With Unsecure

So how do events like 000webhost's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
Read Blog >

Why We Made Our Vulnerability Assessment Free for Everyone

Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines.
Read Blog >

Understanding Risk in the 21st Century

Even today, the risk of data breaches in particular threaten to hamper business innovation. So what is cyber risk, and what can be done about it?
Read Blog >






Topics: developer, mean stack

UpGuard Customers