CVE-2022-24304 – mongoose

Package

Manager: npm
Name: mongoose
Vulnerable Version: >=6.0.0 <6.4.6 || >=0 <5.13.15

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Mongoose Vulnerable to Prototype Pollution in Schema Object ### Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the `schema` object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack. ### Proof of Concept ```js // poc.js const mongoose = require('mongoose'); const schema = new mongoose.Schema(); malicious_payload = '__proto__.toString' schema.path(malicious_payload, [String]) x = {} console.log(x.toString()) // crashed (Denial of service (DoS) attack) ``` ### Impact This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

Metadata

Created: 2022-08-27T00:00:54Z
Modified: 2024-04-22T23:17:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-h8hf-x3f4-xwgp/GHSA-h8hf-x3f4-xwgp.json
CWE IDs: ["CWE-1321"]
Alternative ID: GHSA-h8hf-x3f4-xwgp
Finding: F390
Auto approve: 1