CVE-2022-2564: Prototype Pollution vulnerability in mongoose (npm)

What is CVE-2022-2564 About?

Mongoose, a MongoDB object modeling tool, is vulnerable to Prototype Pollution via the `Schema.path()` function in affected versions. This flaw allows attackers to modify the global `Object` prototype, potentially leading to a Denial of Service (DoS) attack. Exploitation is relatively straightforward by manipulating schema object settings.

Affected Software

mongoose
- <5.13.15
- >6.0.0, <6.4.6

Technical Details

Mongoose, in affected versions, is susceptible to a Prototype Pollution vulnerability. The Schema.path() function, specifically when used to set schema objects, does not properly sanitize input, allowing an attacker to inject properties into the Object.prototype. By crafting a malicious input to the Schema.path() function that includes __proto__ in the property path or key, an attacker can directly add or modify properties on the global Object.prototype. This can be manipulated to trigger various adverse effects, such as causing application crashes or inconsistent behavior, which could be leveraged for a Denial of Service (DoS) attack by rendering the application unstable or unusable.

What is the Impact of CVE-2022-2564?

Successful exploitation may allow attackers to inject arbitrary properties into the Object.prototype, which can lead to denial of service by causing application instability or crashing, or potentially other impacts depending on how prototype properties are used.

What is the Exploitability of CVE-2022-2564?

Exploitation complexity is moderate, requiring an understanding of Mongoose schema definitions and how to manipulate input to the Schema.path() function. No explicit authentication or high privileges are inherently required for the vulnerability itself, but the attacker needs to be able to influence the Schema.path() function call. This is typically a local vulnerability if the attacker needs direct access to the application's source code or its API for schema manipulation. However, it can become remote if an application exposes functionality that allows an unauthenticated user to directly or indirectly influence the schema definition or property assignment in a way that triggers this. The primary prerequisite is the use of an affected Mongoose version in an application that attempts to dynamically create or modify schemas based on untrusted input. Risk is elevated in applications that allow user-defined schema modifications or extensions.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2022-2564?

A Fix by Resolved Security Exists!

See how easy it is to remediate vulnerabilities in your open-source packages.

About the Fix from Resolved Security

The patch blocks properties listed in utils.specialProperties (such as __proto__) from being added to schemas, preventing their injection via the schema add() method or constructor. This mitigates prototype pollution attacks, which CVE-2022-2564 exploits, by ensuring malicious inputs cannot manipulate or overwrite JavaScript object prototypes through user-controlled schema definitions.

Available Upgrade Options

mongoose
- <5.13.15 → Upgrade to 5.13.15
mongoose
- >6.0.0, <6.4.6 → Upgrade to 6.4.6

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-2564?

Similar Vulnerabilities: CVE-2020-28267 , CVE-2020-15174 , CVE-2019-10741 , CVE-2019-10756 , CVE-2018-3721

CVE-2022-2564 Prototype Pollution vulnerability in mongoose (npm)