Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/mongoose@4.13.14
purl pkg:npm/mongoose@4.13.14
Next non-vulnerable version 6.13.9
Latest non-vulnerable version 9.1.6
Risk
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-74zu-ckd6-cqcz
Aliases:
CVE-2024-53900
GHSA-m7xq-9374-9rvx
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
5.13.23
Affected by 2 other vulnerabilities.
6.13.5
Affected by 2 other vulnerabilities.
7.8.3
Affected by 2 other vulnerabilities.
8.8.3
Affected by 2 other vulnerabilities.
VCID-79e8-w592-4kfc
Aliases:
CVE-2025-23061
GHSA-vg7j-7cwx-8wgw
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
6.13.6
Affected by 1 other vulnerability.
7.8.4
Affected by 1 other vulnerability.
8.9.5
Affected by 1 other vulnerability.
VCID-7kqt-gc7f-yqc2
Aliases:
CVE-2022-2564
GHSA-f825-f98c-gj3g
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
5.13.15
Affected by 4 other vulnerabilities.
6.0.0-rc0
Affected by 3 other vulnerabilities.
6.4.6
Affected by 4 other vulnerabilities.
VCID-e36b-xyqv-5uh1
Aliases:
CVE-2019-17426
GHSA-8687-vv9j-hgph
Improper Input Validation in Automattic Mongoose
4.13.21
Affected by 5 other vulnerabilities.
5.7.5
Affected by 5 other vulnerabilities.
VCID-fnw7-7c7z-5udv
Aliases:
CVE-2026-42334
GHSA-wpg9-53fq-2r8h
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
6.13.9
Affected by 0 other vulnerabilities.
7.8.9
Affected by 0 other vulnerabilities.
8.22.1
Affected by 0 other vulnerabilities.
9.1.6
Affected by 0 other vulnerabilities.
VCID-xk4w-gxs4-7bab
Aliases:
CVE-2023-3696
GHSA-9m93-w8w6-76hh
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
5.13.20
Affected by 3 other vulnerabilities.
6.11.3
Affected by 3 other vulnerabilities.
7.3.3
Affected by 4 other vulnerabilities.
7.3.4
Affected by 3 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-12T22:20:40.547074+00:00 GitLab Importer Affected by VCID-fnw7-7c7z-5udv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2026-42334.yml 38.6.0
2026-06-12T19:50:11.538345+00:00 GitLab Importer Affected by VCID-79e8-w592-4kfc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2025-23061.yml 38.6.0
2026-06-12T19:47:45.263365+00:00 GitLab Importer Affected by VCID-74zu-ckd6-cqcz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2024-53900.yml 38.6.0
2026-06-12T19:00:36.849881+00:00 GitLab Importer Affected by VCID-xk4w-gxs4-7bab https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2023-3696.yml 38.6.0
2026-06-12T18:28:51.149953+00:00 GitLab Importer Affected by VCID-7kqt-gc7f-yqc2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2022-2564.yml 38.6.0
2026-06-12T17:14:45.807379+00:00 GitLab Importer Affected by VCID-e36b-xyqv-5uh1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2019-17426.yml 38.6.0