CVE-2022-2564
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
automattic/mongoose vulnerable to Prototype pollution via Schema.path
Predictions
Exploit likelihood
30%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
References
- https://nvd.nist.gov/vuln/detail/CVE-2022-2564
- https://github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680a
- https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8
- https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141
- https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md
- https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6
- https://github.com/automattic/mongoose
- https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.