BIT-mongoose-2023-3696
Prototype Pollution vulnerability in mongoose (npm)
What is BIT-mongoose-2023-3696 About?
This vulnerability, identified as Prototype Pollution, affects GitHub repository automattic/mongoose prior to specified versions. Its impact can range from denial-of-service to arbitrary code execution, depending on how the polluted prototype properties are used by the application. Exploiting this vulnerability can be relatively easy if user-controlled input directly influences object property assignments.
Affected Software
- mongoose
- >6.0.0, <6.11.3
- >7.0.0, <7.3.3
- <5.13.20
Technical Details
The Prototype Pollution vulnerability in Mongoose (versions prior to 7.3.3, 6.11.3, and 5.13.20) arises when an attacker can inject or modify properties of the Object.prototype. This typically occurs when an application recursively merges objects or assigns properties from user-controlled input without proper validation. By injecting __proto__ or constructor.prototype into the input, an attacker can define or overwrite properties on the global Object prototype. Subsequently, any object created in the application will inherit these polluted properties, potentially leading to unexpected behavior, property overrides, or even arbitrary code execution if the application later relies on these properties in a sensitive context.
What is the Impact of BIT-mongoose-2023-3696?
Successful exploitation may allow attackers to achieve denial of service, bypass security checks, or potentially execute arbitrary code, depending on how the application uses affected objects.
What is the Exploitability of BIT-mongoose-2023-3696?
Exploitation typically involves crafting malicious JSON or object structures within user-supplied data. The complexity depends on how easily an attacker can control object keys in merge or assignment operations. No specific authentication or high privilege is generally required, as it often targets data processing logic. Access can be remote. Key risk factors include applications that deserialize untrusted input into objects without sanitization, or that perform deep merging of objects from external sources, making them susceptible to prototype chain manipulation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-mongoose-2023-3696?
About the Fix from Resolved Security
The patch prevents assignment to the special properties __proto__ and constructor during document initialization, blocking attackers from injecting values into an object's prototype. This fix mitigates CVE-2023-3696, which is a prototype pollution vulnerability that could allow an attacker to manipulate Object.prototype and potentially alter application behavior or escalate privileges.
Available Upgrade Options
- mongoose
- <5.13.20 → Upgrade to 5.13.20
- mongoose
- >6.0.0, <6.11.3 → Upgrade to 6.11.3
- mongoose
- >7.0.0, <7.3.3 → Upgrade to 7.3.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
- https://nvd.nist.gov/vuln/detail/CVE-2023-3696
- https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
- https://github.com/Automattic/mongoose
- https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2
- https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1
- https://osv.dev/vulnerability/GHSA-9m93-w8w6-76hh
- https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467
- https://github.com/Automattic/mongoose/releases/tag/7.3.3
- https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d
What are Similar Vulnerabilities to BIT-mongoose-2023-3696?
Similar Vulnerabilities: CVE-2021-23393 , CVE-2020-28281 , CVE-2019-11358 , CVE-2023-28155 , CVE-2023-23910
