Bitnami package
mongoose
pkg:bitnami/mongoose
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42334 | Hig | 7.5 | < 6.13.9 | 6.13.9 | May 14, 2026 | Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mo | |
| CVE-2025-23061 | — | >= 6.0.0, < 6.13.6 | 6.13.6 | Jan 15, 2025 | Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900. | ||
| CVE-2024-53900 | — | < 6.13.5 | 6.13.5 | Dec 2, 2024 | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. | ||
| CVE-2023-3696 | — | < 5.13.20 | 5.13.20 | Jul 17, 2023 | Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. | ||
| CVE-2022-2564 | — | < 5.13.15 | 5.13.15 | Jul 28, 2022 | Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. |
- affected < 6.13.9fixed 6.13.9
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mo
- CVE-2025-23061Jan 15, 2025affected >= 6.0.0, < 6.13.6fixed 6.13.6
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
- CVE-2024-53900Dec 2, 2024affected < 6.13.5fixed 6.13.5
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
- CVE-2023-3696Jul 17, 2023affected < 5.13.20fixed 5.13.20
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
- CVE-2022-2564Jul 28, 2022affected < 5.13.15fixed 5.13.15
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.