GHSA-rc4v-99cr-pjcm: 
JavaScript vulnerability analysis and mitigation

A critical prototype pollution vulnerability was discovered in the mongoose package (GHSA-rc4v-99cr-pjcm), affecting versions <5.13.20, >=6.0.0-rc0 <6.11.3, and >=7.0.0-rc0 <7.3.4. The vulnerability was published and disclosed on July 17, 2023, and was discovered by Larry Yuan. This security issue affects the document.js component of mongoose, which is a MongoDB object modeling tool designed for asynchronous environments (GitHub Advisory, Snyk Report).

The vulnerability exists in document.js and can be exploited through update functions such as findByIdAndUpdate(). The issue received a CVSS score of 10.0 (Critical), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction. The vulnerability is classified under CWE-1321 and allows for prototype pollution through manipulation of document properties (GitHub Advisory, Snyk Report).

The vulnerability's impact is particularly severe for applications using Express and EJS, potentially enabling remote code execution. When successfully exploited, it can lead to prototype pollution, allowing attackers to inject properties into existing JavaScript language construct prototypes. This can result in denial of service through JavaScript exceptions or enable tampering with application source code, potentially leading to remote code execution (Snyk Report).

The vulnerability has been patched in mongoose versions 5.13.20, 6.11.3, and 7.3.4. Users are strongly advised to upgrade to these or higher versions. For the @seal-security/mongoose-fixed package, version 5.3.4 has been deployed to address this issue (GitHub Advisory).