Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
Advisories for Npm/Mongoose package
2023
2022
False Positive
This advisory has been marked as False Positive as it is a duplicate of CVE-2022-2564
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
2020
Remote Memory Exposure in mongoose
Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. Recommendation Update to version 4.3.6, 3.8.39 or later.
2019
Improper Input Validation
Automattic Mongoose allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored.