Miggo Logo
Miggo Vulnerability Database
CVE-2023-3696

CVE-2023-3696:
Mongoose Prototype Pollution vulnerability

10

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-3696
GHSA ID
GHSA-9m93-w8w6-76hh
EPSS Score
0.42777%
CWE
CWE-1321
Published
7/17/2023
Updated
11/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mongoosenpm>= 7.0.0, < 7.3.37.3.3
mongoosenpm>= 6.0.0, < 6.11.36.11.3
mongoosenpm< 5.13.205.13.20

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was explicitly patched by adding checks for 'proto' and 'constructor' keys in the _init function within lib/document.js. The commit message, CWE-1321 classification, and test case demonstrating prototype pollution via $rename operations confirm this was the entry point. The attack vector involved document initialization not properly sanitizing special property names that could modify the prototype chain.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Prototyp* Pollution in *it*u* r*pository *utom*tti*/mon*oos* prior to *.*.*, *.**.*, *n* *.**.**.

Reasoning

T** vuln*r**ility w*s *xpli*itly p*t**** *y ***in* ****ks *or '__proto__' *n* '*onstru*tor' k*ys in t** _init *un*tion wit*in li*/*o*um*nt.js. T** *ommit m*ss***, *W*-**** *l*ssi*i**tion, *n* t*st **s* **monstr*tin* prototyp* pollution vi* $r*n*m* op