Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack.

Affected Packages

npm mongoose

Affected versions: 6.0.0 (fixed in 6.4.6)

npm mongoose

Affected versions: 0 (fixed in 5.13.15)

Related CVEs

CVE-2022-2564

Key Information

GHSA ID

GHSA-f825-f98c-gj3g

Published

July 29, 2022 12:00 AM

Last Modified

September 11, 2023 4:22 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

mongoose

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 16, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.