Mongoosejs CVEs and Security Vulnerabilities

Search

Use the Query Builder to create your own search query, or check out the documentation to learn the search syntax.

Search Examples

CVEs in KEV CVEs with EPSS >= 80% Crit. Microsoft High Apache SQL Injection (CWE-89) Linux Kernel High (CVSS 3.1) Apache Struts RCE (Remote Code Execution) XSS (CWE-79) Critical (CVSS 4.0) CVEs to check

Search Results (6 CVEs found)

Export CSV

CVE	Vendors	Products	Updated	CVSS v3.1
CVE-2026-42334	2 Automattic, Mongoosejs	2 Mongoose, Mongoose	2026-05-15	7.5 High
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
CVE-2025-23061	1 Mongoosejs	1 Mongoose	2025-10-31	9 Critical
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVE-2024-53900	2 Automattic, Mongoosejs	2 Mongoose, Mongoose	2025-10-01	9.1 Critical
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
CVE-2023-3696	1 Mongoosejs	1 Mongoose	2024-11-21	9.8 Critical
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
CVE-2022-2564	1 Mongoosejs	1 Mongoose	2024-11-21	9.8 Critical
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVE-2019-17426	1 Mongoosejs	1 Mongoose	2024-11-21	9.1 Critical
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).

Page 1 of 1.