CVE-2022-2564

Published: Jul 28, 2022Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.

Affected (2)

Products: Mongoosejs: Mongoose

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mongoosejs Mongoose	Before 5.13.15
Mongoosejs Mongoose	From 6.0.0 to 6.4.6

Related CWEs

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

References (8)

https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141

Source: security@huntr.dev

ExploitThird Party Advisory

https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6

Source: security@huntr.dev

PatchThird Party Advisory

https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8

Source: security@huntr.dev

PatchThird Party Advisory

https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd

Source: security@huntr.dev

ExploitIssue TrackingPatchThird Party Advisory

https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue TrackingPatchThird Party Advisory

Timeline

No history available yet.