Search for packages
| purl | pkg:npm/mongoose@6.3.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-14hp-t1nh-4bbh
Aliases: CVE-2026-42334 GHSA-wpg9-53fq-2r8h |
Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection ### Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the `$nor` operator. When sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical operators that are recursively sanitized. Because `$nor` accepts an array (like `$and` and `$or`), and arrays do not trigger `hasDollarKeys()`, malicious operators such as `$ne`, `$gt`, or `$regex` could be injected inside a `$nor` clause without being sanitized. This may lead to: - Authentication bypass - Unauthorized data access - Data exfiltration **Affected users:** Applications that: - Explicitly enable sanitizeFilter - Pass unsanitized user-controlled input directly into query methods (e.g., `Model.findOne(req.body)`) and rely on `sanitizeFilter` to strip out query selectors Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, `Model.findOne({ user: req.body.user, pwd: req.body.pwd })` is not affected. ### Patches Patches have been released for all supported Mongoose release lines: - `^6.13.9` - `^7.8.9` - `^8.22.1` - `^9.1.6` ### Workarounds Delete `$nor` keys, use an additional schema validation library, or write middleware to strip out `$nor` from query filters. ### Resources sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter() Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-bu2j-qbnd-27ct
Aliases: CVE-2024-53900 GHSA-m7xq-9374-9rvx |
Mongoose search injection vulnerability Mongoose versions prior to 8.8.3, 7.8.3, and 6.13.5 are vulnerable to improper use of the $where operator. This vulnerability arises from the ability of the $where clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-f581-vwd2-e7h6
Aliases: CVE-2023-3696 GHSA-9m93-w8w6-76hh |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-wf9k-8mhk-1fe1
Aliases: CVE-2025-23061 GHSA-vg7j-7cwx-8wgw |
Mongoose search injection vulnerability Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-xacy-kytd-zkbh
Aliases: CVE-2022-2564 GHSA-f825-f98c-gj3g |
automattic/mongoose vulnerable to Prototype pollution via Schema.path Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Affected versions of this package are vulnerable to Prototype Pollution. The `Schema.path()` function is vulnerable to prototype pollution when setting the schema object. This vulnerability allows modification of the Object prototype and could be manipulated into a Denial of Service (DoS) attack. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T08:26:35.159785+00:00 | GitLab Importer | Affected by | VCID-14hp-t1nh-4bbh | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2026-42334.yml | 38.6.0 |
| 2026-06-06T05:36:42.271973+00:00 | GitLab Importer | Affected by | VCID-wf9k-8mhk-1fe1 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2025-23061.yml | 38.6.0 |
| 2026-06-06T05:33:27.447961+00:00 | GitLab Importer | Affected by | VCID-bu2j-qbnd-27ct | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2024-53900.yml | 38.6.0 |
| 2026-06-06T03:57:07.256550+00:00 | GitLab Importer | Affected by | VCID-f581-vwd2-e7h6 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2023-3696.yml | 38.6.0 |
| 2026-06-06T02:43:21.128249+00:00 | GitLab Importer | Affected by | VCID-xacy-kytd-zkbh | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2022-2564.yml | 38.6.0 |