CVE-2026-42334
Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mongoosenpm | < 6.13.9 | 6.13.9 |
mongoosenpm | >= 7.0.0, < 7.8.9 | 7.8.9 |
mongoosenpm | >= 8.0.0, < 8.22.1 | 8.22.1 |
mongoosenpm | >= 9.0.0, < 9.1.6 | 9.1.6 |
Affected products
3- osv-coords2 versions
< 6.13.9+ 1 more
- (no CPE)range: < 6.13.9
- (no CPE)range: < 6.13.9
Patches
Vulnerability mechanics
References
5- github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8hnvdMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-wpg9-53fq-2r8hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42334ghsaADVISORY
- mongoosejs.com/docs/api/mongoose.htmlghsaWEB
- thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.htmlghsaWEB
News mentions
0No linked articles in our index yet.