CVE-2019-17426
Description
Mongoose through 5.7.4 fails to handle the _bsontype attribute in query objects, allowing attackers to bypass access controls by injecting a crafted _bsontype value.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mongoose through 5.7.4 fails to handle the _bsontype attribute in query objects, allowing attackers to bypass access controls by injecting a crafted _bsontype value.
Vulnerability
Overview
CVE-2019-17426 affects Automattic Mongoose versions up to 5.7.4. The vulnerability stems from how Mongoose processes MongoDB query objects. When a query object contains a _bsontype attribute, the bson parser (older versions of the mongodb/js-bson project) treats it specially, potentially ignoring or altering the intended query filter. Mongoose did not sanitize or reject such attributes, allowing attackers to inject a _bsontype property into query objects, which could interfere with the applied filters [2].
Attack
Vector and Exploitation
An attacker who can control or influence query parameters sent to a Mongoose application can exploit this by including a _bsontype field, for example "_bsontype":"a". This may cause the query to behave differently than intended, bypassing access control checks that rely on query filters. The attack requires no special privileges beyond being able to craft query input, making it a low-complexity attack vector in many web applications that expose filtered data endpoints [2].
Impact
Successful exploitation could allow an attacker to bypass access control mechanisms, potentially enabling them to read, modify, or delete data that should be restricted. Because the issue is in how Mongoose interacts with the bson parser, the impact depends on the application's query logic, but in scenarios where filters enforce user-specific permissions, this vulnerability could lead to unauthorized data access (horizontal or vertical privilege escalation) [2].
Mitigation
Status
Mongoose addressed this issue in version 4.13.21, released shortly after the CVE was published [4]. Users running Mongoose 5.x should upgrade to a patched version (5.7.5 or later) or apply the fix from the 4.13.21 release. Applications using vulnerable Mongoose versions with user-controlled query parameters are at risk and should be updated as soon as possible [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mongoosenpm | >= 5.0.0, < 5.7.5 | 5.7.5 |
mongoosenpm | < 4.13.21 | 4.13.21 |
Affected products
2- Automattic/Mongoosedescription
Patches
2f88eb2524b65fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries
1 file changed · +6 −0
lib/cast.js+6 −0 modified@@ -23,6 +23,12 @@ module.exports = function cast(schema, obj, options, context) { throw new Error('Query filter must be an object, got an array ', util.inspect(obj)); } + // bson 1.x has the unfortunate tendency to remove filters that have a top-level + // `_bsontype` property. Should remove this when we upgrade to bson 4.x. See gh-8222 + if (obj.hasOwnProperty('_bsontype')) { + delete obj._bsontype; + } + var paths = Object.keys(obj); var i = paths.length; var _keys;
f3eca5b94d82fix(query): delete top-level `_bsontype` property in queries to prevent silent empty queries
1 file changed · +6 −0
lib/cast.js+6 −0 modified@@ -27,6 +27,12 @@ module.exports = function cast(schema, obj, options, context) { throw new Error('Query filter must be an object, got an array ', util.inspect(obj)); } + // bson 1.x has the unfortunate tendency to remove filters that have a top-level + // `_bsontype` property. Should remove this when we upgrade to bson 4.x. See gh-8222 + if (obj.hasOwnProperty('_bsontype')) { + delete obj._bsontype; + } + const paths = Object.keys(obj); let i = paths.length; let _keys;
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-8687-vv9j-hgphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-17426ghsaADVISORY
- github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31cghsax_refsource_MISCWEB
- github.com/Automattic/mongoose/commit/f88eb2524b65a68ff893c90a03c04f0913c1913eghsaWEB
- github.com/Automattic/mongoose/commits/4.13.21ghsaWEB
- github.com/Automattic/mongoose/issues/8222ghsax_refsource_MISCWEB
- github.com/Automattic/mongoose/releases/tag/4.13.21ghsaWEB
News mentions
0No linked articles in our index yet.