Home

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-14 | Updated 2026-05-14 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Product status

< 6.13.9
affected

>= 7.0.0, <= 7.8.8
affected

>= 8.0.0, <= 8.22.0
affected

>= 9.0.0, <= 9.1.5
affected

References

github.com/...ngoose/security/advisories/GHSA-wpg9-53fq-2r8h

cve.org (CVE-2026-42334)

nvd.nist.gov (CVE-2026-42334)

Download JSON