Headline

GHSA-rc4v-99cr-pjcm: Prototype Pollution in ali-security/mongoose

Impact

This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate(). For applications using Express and EJS, this can potentially allow remote code execution.

Patches

The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4

References

https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721 https://github.com/advisories/GHSA-9m93-w8w6-76hh https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2

11 months ago

ghsa

Open in Source

#vulnerability #nodejs #js #git #rce #mongo

Package

npm @seal-security/mongoose-fixed (npm)

Affected versions

= 5.3.3

Patched versions

5.3.4

Description

Impact

This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate().
For applications using Express and EJS, this can potentially allow remote code execution.

Patches

References

https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721
GHSA-9m93-w8w6-76hh
Automattic/mongoose@f1efabf

References