VulnerableCode Package Details - pkg:npm/mongoose@6.12.9

Search for packages

Vulnerability	Summary	Fixed by
VCID-74zu-ckd6-cqcz Aliases: CVE-2024-53900 GHSA-m7xq-9374-9rvx	Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.	6.13.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.8.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.8.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-79e8-w592-4kfc Aliases: CVE-2025-23061 GHSA-vg7j-7cwx-8wgw	Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.	6.13.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 7.8.4 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.9.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-fnw7-7c7z-5udv Aliases: CVE-2026-42334 GHSA-wpg9-53fq-2r8h	Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.	6.13.9 Affected by 0 other vulnerabilities. 7.8.9 Affected by 0 other vulnerabilities. 8.22.1 Affected by 0 other vulnerabilities. 9.1.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-74zu-ckd6-cqcz
Aliases:
CVE-2024-53900
GHSA-m7xq-9374-9rvx

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.

6.13.5
Affected by 2 other vulnerabilities.

7.8.3
Affected by 2 other vulnerabilities.

8.8.3
Affected by 2 other vulnerabilities.

VCID-79e8-w592-4kfc
Aliases:
CVE-2025-23061
GHSA-vg7j-7cwx-8wgw

Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

6.13.6
Affected by 1 other vulnerability.

7.8.4
Affected by 1 other vulnerability.

8.9.5
Affected by 1 other vulnerability.

VCID-fnw7-7c7z-5udv
Aliases:
CVE-2026-42334
GHSA-wpg9-53fq-2r8h

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.

6.13.9
Affected by 0 other vulnerabilities.

7.8.9
Affected by 0 other vulnerabilities.

8.22.1
Affected by 0 other vulnerabilities.

9.1.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:20:42.064713+00:00	GitLab Importer	Affected by	VCID-fnw7-7c7z-5udv	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2026-42334.yml	38.6.0
2026-06-12T19:50:13.074798+00:00	GitLab Importer	Affected by	VCID-79e8-w592-4kfc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2025-23061.yml	38.6.0
2026-06-12T19:47:45.907932+00:00	GitLab Importer	Affected by	VCID-74zu-ckd6-cqcz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2024-53900.yml	38.6.0