Mongoose

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:automattic:mongoose:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAutomattic (1dc39c9b-4ddb-5af6-acf4-410b436129a9)
ProductMongoose (cc6555de-61b0-56d7-bb71-1d610de550cc)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-42334 vulnerable 2026-06-03 15:25:00.961808 Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
HIGH (7.5)
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
Published: 2026-05-14T18:03:43.196Z
Updated: 2026-05-14T18:18:06.935Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-53900 vulnerable 2026-06-03 14:57:40.404798 Details available
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
Published: 2024-12-02T00:00:00.000Z
Updated: 2025-01-06T17:43:08.256Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.