Miggo Logo
Miggo Vulnerability Database
CVE-2022-2564

CVE-2022-2564: automattic/mongoose vulnerable to Prototype pollution via Schema.path

7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-2564
GHSA ID
GHSA-f825-f98c-gj3g
EPSS Score
0.81711%
CWE
CWE-1321
Published
7/29/2022
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mongoosenpm>= 6.0.0, < 6.4.66.4.6
mongoosenpm< 5.13.155.13.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient input validation in schema path handling. The GitHub commit a45cfb6 explicitly adds checks for special properties (like proto) in both add() and path() methods, confirming these were the entry points. The CVE description directly implicates Schema.path() as the vulnerable function, and the patch modifies both functions to prevent prototype pollution by rejecting special property keys. The high confidence comes from the direct correlation between the vulnerability description, CWE-1321 (Prototype Pollution), and the specific defensive code changes in these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mon*oos* is * Mon*o** o*j**t mo**lin* tool **si*n** to work in *n *syn**ronous *nvironm*nt. *****t** v*rsions o* t*is p**k*** *r* vuln*r**l* to Prototyp* Pollution. T** `S***m*.p*t*()` *un*tion is vuln*r**l* to prototyp* pollution w**n s*ttin* t** s*

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt input v*li**tion in s***m* p*t* **n*lin*. T** *it*u* *ommit ******* *xpli*itly ***s ****ks *or sp**i*l prop*rti*s (lik* __proto__) in *ot* ***() *n* p*t*() m*t*o*s, *on*irmin* t**s* w*r* t** *ntry points. T**