CVE-2022-2564 — automattic/mongoose vulnerable to Prototype pollution via Schema.path

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

How to fix CVE-2022-2564

To remediate CVE-2022-2564, upgrade the affected package to a fixed version below.

—upgrade to 5.13.15 or later
—upgrade to 6.4.6 or later

Is CVE-2022-2564 being exploited?

Low — EPSS is 2.9%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 5.13.15, >= 6.0.0, < 6.4.6
>= 6.0.0, < 6.4.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.0	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-2564
WEBgithub.com/automattic/mongoose
WEBgithub.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
WEBgithub.com/Automattic/mongoose/blob/master/CHANGELOG.md