Prototype Pollution in automattic/mongoose
Description
Prototype Pollution in Mongoose versions prior to 6.4.6 allows an attacker to pollute object prototypes via crafted input, potentially leading to remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Prototype Pollution in Mongoose versions prior to 6.4.6 allows an attacker to pollute object prototypes via crafted input, potentially leading to remote code execution.
Vulnerability
Details
CVE-2022-2564 is a Prototype Pollution vulnerability affecting Mongoose, a MongoDB object modeling tool for Node.js and Deno, in versions prior to 6.4.6 [1][2]. The flaw resides in how Mongoose handles object merging or schema processing, allowing an attacker to inject properties into an object's prototype chain.
Attack
Vector and Prerequisites
Exploitation requires the attacker to provide crafted input that is processed by Mongoose's internal functions. The specific vulnerable code resides in lib/schema.js [3]. An attacker does not need authenticated access to the application, but must be able to supply data that Mongoose processes (e.g., through user-controlled JSON bodies, query parameters, or file uploads). No special network position is required beyond HTTP accessibility.
Impact
Successful exploitation of Prototype Pollution can lead to severe consequences, including arbitrary code execution, denial of service, or property injection that bypasses security controls. By polluting Object.prototype, the attacker can alter the behavior of all objects in the application, potentially enabling remote code execution [3].
Mitigation
The vulnerability was patched in Mongoose version 6.4.6 [2][4]. Users are strongly advised to upgrade to this version or later. No workarounds are documented, and the fix addresses the root cause by sanitizing object operations that could lead to prototype pollution.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mongoosenpm | >= 6.0.0, < 6.4.6 | 6.4.6 |
mongoosenpm | < 5.13.15 | 5.13.15 |
Affected products
3- osv-coords2 versions
< 5.13.15+ 1 more
- (no CPE)range: < 5.13.15
- (no CPE)range: >= 6.0.0, < 6.4.6
- automattic/automattic/mongoosev5Range: unspecified
Patches
299b418941e2fMerge pull request #12297 from shubanker/issue/prototype-pollution-5.x-patch
2 files changed · +17 −0
lib/schema.js+7 −0 modified@@ -478,6 +478,10 @@ Schema.prototype.add = function add(obj, prefix) { const keys = Object.keys(obj); for (const key of keys) { + if (utils.specialProperties.has(key)) { + continue; + } + const fullPath = prefix + key; if (obj[key] == null) { @@ -663,6 +667,9 @@ Schema.prototype.path = function(path, obj) { let fullPath = ''; for (const sub of subpaths) { + if (utils.specialProperties.has(sub)) { + throw new Error('Cannot set special property `' + sub + '` on a schema'); + } fullPath = fullPath += (fullPath.length > 0 ? '.' : '') + sub; if (!branch[sub]) { this.nested[fullPath] = true;
test/schema.test.js+10 −0 modified@@ -2682,4 +2682,14 @@ describe('schema', function() { assert.equal(TestSchema.path('testprop.$*').instance, 'Number'); assert.equal(TestSchema.path('testprop.$*').options.ref, 'OtherModel'); }); + + it('disallows setting special properties with `add()` or constructor (gh-12085)', function() { + const maliciousPayload = '{"__proto__.toString": "Number"}'; + + assert.throws(() => { + mongoose.Schema(JSON.parse(maliciousPayload)); + }, /__proto__/); + + assert.ok({}.toString()); + }); });
a45cfb6b0ce0fix(schema): disallow setting __proto__ when creating schema with dotted properties
2 files changed · +17 −0
lib/schema.js+7 −0 modified@@ -554,6 +554,10 @@ Schema.prototype.add = function add(obj, prefix) { const keys = Object.keys(obj); const typeKey = this.options.typeKey; for (const key of keys) { + if (utils.specialProperties.has(key)) { + continue; + } + const fullPath = prefix + key; const val = obj[key]; @@ -854,6 +858,9 @@ Schema.prototype.path = function(path, obj) { let fullPath = ''; for (const sub of subpaths) { + if (utils.specialProperties.has(sub)) { + throw new Error('Cannot set special property `' + sub + '` on a schema'); + } fullPath = fullPath += (fullPath.length > 0 ? '.' : '') + sub; if (!branch[sub]) { this.nested[fullPath] = true;
test/schema.test.js+10 −0 modified@@ -2792,4 +2792,14 @@ describe('schema', function() { }); }, /Cannot use schema-level projections.*subdocument_mapping.not_selected/); }); + + it('disallows setting special properties with `add()` or constructor (gh-12085)', async function() { + const maliciousPayload = '{"__proto__.toString": "Number"}'; + + assert.throws(() => { + mongoose.Schema(JSON.parse(maliciousPayload)); + }, /__proto__/); + + assert.ok({}.toString()); + }); });
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-f825-f98c-gj3gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-2564ghsaADVISORY
- github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.jsghsax_refsource_MISCWEB
- github.com/Automattic/mongoose/blob/master/CHANGELOG.mdghsaWEB
- github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680aghsaWEB
- github.com/Automattic/mongoose/compare/6.4.5...6.4.6ghsax_refsource_MISCWEB
- github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8ghsax_refsource_MISCWEB
- huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1dddghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.