CVE-2022-37614

CVE-2022-37614 is a prototype pollution vulnerability identified in the enable function of mockery.js, a Node.js library that simplifies mocking of modules during unit testing. The flaw is located in the key variable within mockery.js, as noted in the official CVE description [3]. This vulnerability exists in the specific commit 822f0566fd6d72af8c943ae5ca2aa92e516aa2cf of the mfncooper/mockery repository [1].

Prototype pollution attacks typically occur when an attacker can inject properties into the Object.prototype of the JavaScript runtime. In this case, the enable function improperly handles the key variable, allowing a crafted input to pollute the global object prototype. The attack vector is through the library's interface, where an attacker could supply a malicious key string (e.g., one containing __proto__ or other prototype-accessible properties) during the call to mockery.enable(options) [2]. No authentication is required, and the attacker only needs to invoke the method with a specially crafted options object.

The impact of this vulnerability is significant. By polluting the Object.prototype, an attacker can modify the behavior of all objects in the application, potentially leading to arbitrary code execution, denial of service, or application logic bypass. A successful exploit could grant the attacker the ability to override existing properties or add new ones that affect the entire runtime environment [2]. Since mockery is often used in development and testing environments, the vulnerability might be leveraged in supply chain attacks where a malicious dependency introduces the polluting input.

As of the advisory, the repository owner archived the mfncooper/mockery project on April 30, 2024, indicating it is no longer maintained [4]. The specific commit containing the vulnerable code has been flagged, and no patch was released. Users of this library are advised to migrate to alternative mocking solutions or fork the project and apply a fix manually. The vulnerability has been published in the National Vulnerability Database (NVD) for awareness [3].