10

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-rc4v-99cr-pjcm

EPSS Score

CWE

CWE-1321

Published

10/17/2023

Updated

10/17/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-rc4v-99cr-pjcm

GHSA-rc4v-99cr-pjcm: Prototype Pollution in ali-security/mongoose

Impact

This vulnerability causes a Prototype Pollution in document.js, through functions such as findByIdAndUpdate(). For applications using Express and EJS, this can potentially allow remote code execution.

Patches

The original patched version for mongoose 5.3.3 did not include a fix for CVE-2023-3696. Therefore the existing version @seal-security/mongoose-fixed version 5.3.3 is affected by this vulnerability (though it is protected from CVE-2022-2564 and CVE-2019-17426). To mitigate this issue, a @seal-security/mongoose-fixed version 5.3.4 has been deployed. Note that this version is compatible with the original mongoose version 5.3.3, not version 5.3.4

References

https://security.snyk.io/vuln/SNYK-JS-MONGOOSE-5777721 https://github.com/advisories/GHSA-9m93-w8w6-76hh https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-rc4v-99cr-pjcm

EPSS Score

CWE

CWE-1321

Published

10/17/2023

Updated

10/17/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@seal-security/mongoose-fixed	npm	= 5.3.3	5.3.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the init function's handling of document initialization. The GitHub commit shows a fix adding checks for 'proto' and 'constructor' keys in the _init helper function. The Snyk PoC demonstrates exploitation via findByIdAndUpdate() with $rename targeting proto.polluted. While findByIdAndUpdate() is the attack vector, the root vulnerable code is in document.js's init implementation that processes these updates without prototype pollution protections prior to the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility **us*s * Prototyp* Pollution in *o*um*nt.js, t*rou** *un*tions su** *s *in**yI**n*Up**t*(). *or *ppli**tions usin* *xpr*ss *n* *JS, t*is **n pot*nti*lly *llow r*mot* *o** *x**ution. ### P*t***s T** ori*in*l p*t**** v*rs

Reasoning

T** vuln*r**ility st*ms *rom t** init *un*tion's **n*lin* o* *o*um*nt initi*liz*tion. T** *it*u* *ommit s*ows * *ix ***in* ****ks *or '__proto__' *n* '*onstru*tor' k*ys in t** _init **lp*r *un*tion. T** Snyk Po* **monstr*t*s *xploit*tion vi* *in**yI*

10

Basic Information

Concerned about an active attack path?

GHSA-rc4v-99cr-pjcm: Prototype Pollution in ali-security/mongoose

Impact

Patches

References

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI