CVE-2022-24304
Prototype Pollution vulnerability in mongoose (npm)
What is CVE-2022-24304 About?
Mongoose, a MongoDB object modeling tool, is vulnerable to Prototype Pollution via its `Schema.path()` function when setting the `schema` object. This vulnerability allows for modification of the `Object.prototype`, which can be leveraged to achieve Denial of Service (DoS) or other impacts. Exploitation is moderately easy with a crafted input to the `Schema.path()` function.
Affected Software
- mongoose
- <5.13.15
- >6.0.0, <6.4.6
Technical Details
The vulnerability in Mongoose (specifically in the mongoose package) is a Prototype Pollution issue within the Schema.path() function. When an attacker provides a crafted string, such as __proto__.toString, as the path argument to schema.path(), it can modify the global Object.prototype. This modification means that properties added to Object.prototype will be inherited by all JavaScript objects, which typically should not happen. An attacker can use this to overwrite critical methods or properties, leading to unexpected behavior, application crashes (Denial of Service), or even potentially remote code execution if combined with other vulnerabilities or gadgets. The proof of concept demonstrates that overwriting Object.prototype.toString with a non-function value causes a crash when toString() is called.
What is the Impact of CVE-2022-24304?
Successful exploitation may allow attackers to trigger denial of service conditions, gain remote code execution, or perform property injection, leading to significant system compromise or data manipulation.
What is the Exploitability of CVE-2022-24304?
Exploitation of this vulnerability requires the ability to provide attacker-controlled input to the Schema.path() function. The complexity of crafting the payload is moderate, as it targets a specific prototype property. No specific authentication or privilege requirements are directly associated with triggering the Schema.path() vulnerability; however, an attacker would need to control input that eventually flows into this function. This could be a remote attack if such input is exposed via an application API. Special conditions include the application using Mongoose and allowing untrusted data to influence schema definitions or object paths. Risk factors are heightened in applications that expose internal object definitions or schema modification capabilities to untrusted users.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-24304?
About the Fix from Resolved Security
This patch prevents users from defining schema properties with special JavaScript object property names (like proto), which previously allowed prototype pollution attacks. By blocking these keys in schema definitions and throwing errors when they're used, it mitigates the risk described in CVE-2022-24304, where an attacker could manipulate object prototypes and compromise application integrity.
Available Upgrade Options
- mongoose
- <5.13.15 → Upgrade to 5.13.15
- mongoose
- >6.0.0, <6.4.6 → Upgrade to 6.4.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2022-24304
- https://github.com/Automattic/mongoose/issues/12085
- https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd
- https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
- https://github.com/Automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
- https://osv.dev/vulnerability/GHSA-h8hf-x3f4-xwgp
- https://github.com/Automattic/mongoose/commit/6a197316564742c0422309e1b5fecfa4faec126e
What are Similar Vulnerabilities to CVE-2022-24304?
Similar Vulnerabilities: CVE-2020-28283 , CVE-2019-11358 , CVE-2021-23424 , CVE-2020-8174 , CVE-2020-7760
