VulnerableCode Package Details - pkg:npm/mongoose@7.8.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-14hp-t1nh-4bbh Aliases: CVE-2026-42334 GHSA-wpg9-53fq-2r8h	Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection ### Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the `$nor` operator. When sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical operators that are recursively sanitized. Because `$nor` accepts an array (like `$and` and `$or`), and arrays do not trigger `hasDollarKeys()`, malicious operators such as `$ne`, `$gt`, or `$regex` could be injected inside a `$nor` clause without being sanitized. This may lead to: - Authentication bypass - Unauthorized data access - Data exfiltration Affected users: Applications that: - Explicitly enable sanitizeFilter - Pass unsanitized user-controlled input directly into query methods (e.g., `Model.findOne(req.body)`) and rely on `sanitizeFilter` to strip out query selectors Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, `Model.findOne({ user: req.body.user, pwd: req.body.pwd })` is not affected. ### Patches Patches have been released for all supported Mongoose release lines: - `^6.13.9` - `^7.8.9` - `^8.22.1` - `^9.1.6` ### Workarounds Delete `$nor` keys, use an additional schema validation library, or write middleware to strip out `$nor` from query filters. ### Resources sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter() Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html	7.8.9 Affected by 0 other vulnerabilities. 8.22.1 Affected by 0 other vulnerabilities. 9.1.6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-14hp-t1nh-4bbh
Aliases:
CVE-2026-42334
GHSA-wpg9-53fq-2r8h

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection ### Impact This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the `$nor` operator. When sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical operators that are recursively sanitized. Because `$nor` accepts an array (like `$and` and `$or`), and arrays do not trigger `hasDollarKeys()`, malicious operators such as `$ne`, `$gt`, or `$regex` could be injected inside a `$nor` clause without being sanitized. This may lead to: - Authentication bypass - Unauthorized data access - Data exfiltration **Affected users:** Applications that: - Explicitly enable sanitizeFilter - Pass unsanitized user-controlled input directly into query methods (e.g., `Model.findOne(req.body)`) and rely on `sanitizeFilter` to strip out query selectors Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, `Model.findOne({ user: req.body.user, pwd: req.body.pwd })` is not affected. ### Patches Patches have been released for all supported Mongoose release lines: - `^6.13.9` - `^7.8.9` - `^8.22.1` - `^9.1.6` ### Workarounds Delete `$nor` keys, use an additional schema validation library, or write middleware to strip out `$nor` from query filters. ### Resources sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter() Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

7.8.9
Affected by 0 other vulnerabilities.

8.22.1
Affected by 0 other vulnerabilities.

9.1.6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-wf9k-8mhk-1fe1	Mongoose search injection vulnerability Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.	CVE-2025-23061 GHSA-vg7j-7cwx-8wgw

Vulnerability

Summary

Aliases

VCID-wf9k-8mhk-1fe1

Mongoose search injection vulnerability Mongoose versions prior to 8.9.5, 7.8.4, and 6.13.6 are vulnerable to improper use of the `$where` operator. This vulnerability arises from the ability of the `$where` clause to execute arbitrary JavaScript code in MongoDB queries, potentially leading to code injection attacks and unauthorized access or manipulation of database data. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.

CVE-2025-23061
GHSA-vg7j-7cwx-8wgw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-09T20:42:54.969036+00:00	GHSA Importer	Fixing	VCID-wf9k-8mhk-1fe1	https://github.com/advisories/GHSA-vg7j-7cwx-8wgw	38.6.0
2026-06-06T08:26:35.878048+00:00	GitLab Importer	Affected by	VCID-14hp-t1nh-4bbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2026-42334.yml	38.6.0
2026-06-04T17:09:07.071971+00:00	GithubOSV Importer	Fixing	VCID-wf9k-8mhk-1fe1	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-vg7j-7cwx-8wgw/GHSA-vg7j-7cwx-8wgw.json	38.6.0
2026-06-04T16:23:04.243833+00:00	GitLab Importer	Fixing	VCID-wf9k-8mhk-1fe1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mongoose/CVE-2025-23061.yml	38.6.0