Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-spbr-7jj3-zqg6
Vulnerability ID VCID-spbr-7jj3-zqg6
Aliases GHSA-r5xw-q988-826m
GMS-2020-748
Summary Remote Memory Exposure in mongoose Versions of `mongoose` before 4.3.6, 3.8.39 are vulnerable to remote memory exposure. Trying to save a number to a field of type Buffer on the affected mongoose versions allocates a chunk of uninitialized memory and stores it in the database. ## Recommendation Update to version 4.3.6, 3.8.39 or later.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-201 Insertion of Sensitive Information Into Sent Data
System Score Found at
cvssv3.1 5.1 https://gist.github.com/ChALkeR/440bc3dfcbd9b6da75c3
generic_textual MODERATE https://gist.github.com/ChALkeR/440bc3dfcbd9b6da75c3
cvssv3.1 5.1 https://gist.github.com/ChALkeR/d4a8055625221b6e65f0
generic_textual MODERATE https://gist.github.com/ChALkeR/d4a8055625221b6e65f0
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-r5xw-q988-826m
cvssv3.1 5.1 https://github.com/Automattic/mongoose/issues/3764
generic_textual MODERATE https://github.com/Automattic/mongoose/issues/3764
cvssv3.1 5.1 https://www.npmjs.com/advisories/599
generic_textual MODERATE https://www.npmjs.com/advisories/599
Reference id Reference type URL
https://gist.github.com/ChALkeR/440bc3dfcbd9b6da75c3
https://gist.github.com/ChALkeR/d4a8055625221b6e65f0
https://github.com/Automattic/mongoose/issues/3764
https://www.npmjs.com/advisories/599
GHSA-r5xw-q988-826m https://github.com/advisories/GHSA-r5xw-q988-826m
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://gist.github.com/ChALkeR/440bc3dfcbd9b6da75c3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://gist.github.com/ChALkeR/d4a8055625221b6e65f0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/Automattic/mongoose/issues/3764
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.npmjs.com/advisories/599
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-04T16:20:13.509268+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/GMS-2020-748.yml 38.6.0