CVE-2022-2564
CRITICAL
Published Jul 28, 20223y ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Published Jul 28, 2022 3y ago
Last Modified Jun 17, 2026 1w ago
Description
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
No active exploitation signals — not in CISA KEV and no EPSS score yet.
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-1321
Affected Products 2
| Vendor | Product | Version | Range |
|---|---|---|---|
| mongoosejs | mongoose | * | <5.13.15 |
| mongoosejs | mongoose | * | ≥6.0.0 – <6.4.6 |
References 4
- github.com https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
- github.com https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6
- github.com https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
- huntr.dev https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd
Remediation
- github.com https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6
- github.com https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
- huntr.dev https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd