CVE-2023-3696

Published: Jul 17, 2023Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.

Affected (3)

Products: Mongoosejs: Mongoose

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mongoosejs Mongoose	Before 5.13.20
Mongoosejs Mongoose	From 6.0.0 to 6.11.3
Mongoosejs Mongoose	From 7.0.0 to 7.3.4

Related CWEs

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

References (4)

https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d

Source: security@huntr.dev

Patch

https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467

Source: security@huntr.dev

ExploitPatch

https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitPatch

Timeline

No history available yet.