GMS-2020-748: Remote Memory Exposure in mongoose

September 1, 2020 (updated September 23, 2021)

Versions of mongoose before 4.3.6, 3.8.39 are vulnerable to remote memory exposure.

Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database.

Recommendation

Update to version 4.3.6, 3.8.39 or later.

References

gist.github.com/ChALkeR/440bc3dfcbd9b6da75c3
gist.github.com/ChALkeR/d4a8055625221b6e65f0
github.com/Automattic/mongoose/issues/3764
github.com/advisories/GHSA-r5xw-q988-826m
www.npmjs.com/advisories/599

Detect and mitigate GMS-2020-748 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →