Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-2564

Date: July 28, 2022

Overview

Prototype Pollution in mongoose npm package aka GitHub repository automattic/mongoose prior to version 6.4.6 which can lead to Denial-of-Service (DoS).

Details

Prototype Pollution vulnerability leverages the nature and ground rules of JavaScript programming language. Eventually, it allows the injection of properties into objects.

PoC Details

Due to the absence of validation on the values passed into `Schema()` function an attacker can supply a malicious value by adjusting the value to include the `__proto__` property.
Since there is no validation before assigning the property here to check whether the assigned argument is the Object's own property or not, the property will be directly assigned to the object, thereby polluting the Object prototype.

PoC Code

mongoose = require("mongoose");
var payload = '{"__proto__.toString": "Number"}';
console.log('Before:', {}.toString()); // [object Object]
mongoose.Schema(JSON.parse(payload));
console.log('After:', {}.toString()); // crash

Affected Environments

Before 6.4.6

Remediation

Object freeze - The object.freeze() method prevents any changes to the attributes of an object, meaning it can’t become polluted.

Schema validation - Ensure the JSON scheme does not contain any prototypes or accessor property such as “__proto__”.

Safer alternatives for object’s creation - Create an object without the “__proto__” accessor property by using Object.create(null): Use Map instead of Object to hold key-value pairs securely.

Prevention

Update to version 6.4.6

Language: JS

Good to know:

icon

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321
icon

Upgrade Version

Upgrade to version mongoose - 6.4.6

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Related Resources (9)

https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd
https://github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680a
https://github.com/automattic/mongoose
https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6
https://nvd.nist.gov/vuln/detail/CVE-2022-2564
https://www.mend.io/vulnerability-database/CVE-2022-2564