Secure Notes is a prototype pollution challenge targeting a Node.js application built with Express and Mongoose. The application implements a note-taking CRUD API where the /update endpoint passes the entire request body to Mongoose's findByIdAndUpdate(), allowing injection of MongoDB update operators. The critical vulnerability chain is: (1) the $rename operator bypasses Mongoose's prototype pollution filters by operating on the MongoDB server side, (2) when the renamed document is read back, Mongoose's hydration process pollutes Object.prototype, and (3) the _peername.address property on Node.js sockets is pollutable, allowing the /flag endpoint's localhost check to be bypassed. This writeup dissects each layer of the attack.

From the Dockerfile:

Node.js 21 (bullseye) + Express 4.18.2 + Mongoose 7.2.4 + MongoDB 7.0

The entire application is a single app.js file:

const Note = mongoose.model('Note', new mongoose.Schema({
    title: String,
    content: String,
}));