CVE-2022-2564: Prototype Pollution in automattic/mongoose
First published: Thu Jul 28 2022(Updated: )
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.
Credit: security@huntr.dev security@huntr.dev security@huntr.dev
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/mongoose | <5.13.15 | 5.13.15 |
| npm/mongoose | >=6.0.0<6.4.6 | 6.4.6 |
| Mongoose | <6.4.6 | |
| Mongoose | <5.13.15 | |
| Mongoose | >=6.0.0<6.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
- https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6
- https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
- https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd
- https://nvd.nist.gov/vuln/detail/CVE-2022-2564
- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- https://github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680a
- https://github.com/advisories/GHSA-f825-f98c-gj3g (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-2564?
CVE-2022-2564 is classified as a moderate severity vulnerability affecting specific versions of Mongoose.
How do I fix CVE-2022-2564?
To fix CVE-2022-2564, upgrade to Mongoose version 6.4.6 or later, or downgrade to any version below 5.13.15.
What versions of Mongoose are affected by CVE-2022-2564?
Versions of Mongoose prior to 6.4.6 and between 5.13.15 and 6.0.0 are affected by CVE-2022-2564.
What is the specific vulnerability in CVE-2022-2564?
CVE-2022-2564 is related to Prototype Pollution in the Schema.path() function of Mongoose.
Is CVE-2022-2564 a remote exploitation vulnerability?
CVE-2022-2564 can potentially be exploited remotely, as it affects a widely used database modeling library.
- collector/github-advisory-latest
- alias/GHSA-f825-f98c-gj3g
- alias/CVE-2022-2564
- collector/github-advisory
- agent/references
- agent/type
- agent/remedy
- agent/author
- agent/weakness
- agent/description
- agent/softwarecombine
- agent/title
- agent/severity
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- package-manager/npm
- vendor/mongoosejs
- canonical/mongoose
- version/mongoose/6.0.0