Search for packages
| purl | pkg:npm/mongoose@6.0.11 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-74zu-ckd6-cqcz
Aliases: CVE-2024-53900 GHSA-m7xq-9374-9rvx |
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-79e8-w592-4kfc
Aliases: CVE-2025-23061 GHSA-vg7j-7cwx-8wgw |
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-7kqt-gc7f-yqc2
Aliases: CVE-2022-2564 GHSA-f825-f98c-gj3g |
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. |
Affected by 4 other vulnerabilities. |
|
VCID-fnw7-7c7z-5udv
Aliases: CVE-2026-42334 GHSA-wpg9-53fq-2r8h |
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xk4w-gxs4-7bab
Aliases: CVE-2023-3696 GHSA-9m93-w8w6-76hh |
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-12T22:20:41.650780+00:00 | GitLab Importer | Affected by | VCID-fnw7-7c7z-5udv | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2026-42334.yml | 38.6.0 |
| 2026-06-12T19:50:12.672529+00:00 | GitLab Importer | Affected by | VCID-79e8-w592-4kfc | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2025-23061.yml | 38.6.0 |
| 2026-06-12T19:47:45.746246+00:00 | GitLab Importer | Affected by | VCID-74zu-ckd6-cqcz | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2024-53900.yml | 38.6.0 |
| 2026-06-12T19:00:37.968426+00:00 | GitLab Importer | Affected by | VCID-xk4w-gxs4-7bab | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2023-3696.yml | 38.6.0 |
| 2026-06-12T18:28:52.368465+00:00 | GitLab Importer | Affected by | VCID-7kqt-gc7f-yqc2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2022-2564.yml | 38.6.0 |