-
-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible prototype pollution in mongoose.Schema #10035
Comments
The fix is feasible and thank you for pointing this out! Passing user data to the |
Thank you for your response @vkarpov15 . Yes, I need your help to reply By the way, what is your opinion whether this bug deserves a CVE? If possible, can you help to request one for it, many thanks! |
Re: CVE, it's debatable. While allowing user-specified data into your schema is certainly possible, doing so seems to defeat the point of using Mongoose. I'd err on the side of not adding a CVE to reduce noise, but I'm open to arguments to the contrary. |
Hey @vkarpov15 , OK, I agree with you. It is indeed not quite common that the schema is used in the polluted way :-) By the way, I have found another prototype pollution in mquery@3.2.4 due to the incomplete fix. I open an issue in mquery at mongoosejs/mquery#120, and also report this vul through huntr.dev and propose a possible fix at 418sec/mquery#1 . Seems you are also the maintianers of mquery and please help to review it :-) If you also like that fix at mquery@3.2.4, I also need you reply |
The Mongoose version used is susceptible to a recently found vulnerability (see Automattic/mongoose#10035). Although, it is a medium severity vulnerability, it will be best to update the package.json with `"mongoose": "^5.12.2",` as humbly suggested in this pull request.
The Mongoose version used is susceptible to a recently found vulnerability (see Automattic/mongoose#10035). Although, it is a medium severity vulnerability, it will be best to update the package.json with `"mongoose": "^5.12.2",` as humbly suggested in this pull request.
@zpbrent done re: mquery 👍 |
NodeJS version: 14.16.0
Mongoose version: 5.12.0
I find the
mongoose.Schema()
is subject to prototype pollution due to the recursively calling ofSchema.prototype.add()
function to add new items into the schema object. This vulnerability allows modification of the Object prototype.What is the current behavior?
out put:
What is the expected behavior?
out put:
I have reported this vul through huntr.dev at https://www.huntr.dev/bounties/1-npm-mongoose/
As well as proposed a possible fix with a PR at 418sec#1
Please help to confirm whether this is indeed a bug and also whether the fix is feasible, thanks!
The text was updated successfully, but these errors were encountered: