npm package
mongoose
pkg:npm/mongoose
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42334 | Hig | 7.5 | < 6.13.9 | 6.13.9 | May 14, 2026 | Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mo | |
| CVE-2025-23061 | — | >= 8.0.0-rc0, < 8.9.5 | 8.9.5 | Jan 15, 2025 | Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900. | ||
| CVE-2024-53900 | — | >= 8.0.0-rc0, < 8.8.3 | 8.8.3 | Dec 2, 2024 | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. | ||
| CVE-2023-3696 | — | >= 7.0.0, < 7.3.3 | 7.3.3 | Jul 17, 2023 | Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4. | ||
| CVE-2022-2564 | — | >= 6.0.0, < 6.4.6 | 6.4.6 | Jul 28, 2022 | Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6. | ||
| CVE-2019-17426 | — | >= 5.0.0, < 5.7.5 | 5.7.5 | Oct 10, 2019 | Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's f |
- affected < 6.13.9fixed 6.13.9
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mo
- CVE-2025-23061Jan 15, 2025affected >= 8.0.0-rc0, < 8.9.5fixed 8.9.5
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
- CVE-2024-53900Dec 2, 2024affected >= 8.0.0-rc0, < 8.8.3fixed 8.8.3
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
- CVE-2023-3696Jul 17, 2023affected >= 7.0.0, < 7.3.3fixed 7.3.3
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
- CVE-2022-2564Jul 28, 2022affected >= 6.0.0, < 6.4.6fixed 6.4.6
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
- CVE-2019-17426Oct 10, 2019affected >= 5.0.0, < 5.7.5fixed 5.7.5
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's f