Vulnerability-Lookup

GHSA-WPG9-53FQ-2R8H

Vulnerability from github – Published: 2026-05-05 21:48 – Updated: 2026-05-14 20:53

Summary

Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Details

Impact

This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator.

When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized.

This may lead to:

Authentication bypass
Unauthorized data access
Data exfiltration

Affected users:

Applications that:

Explicitly enable sanitizeFilter
Pass unsanitized user-controlled input directly into query methods (e.g., Model.findOne(req.body)) and rely on sanitizeFilter to strip out query selectors

Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, Model.findOne({ user: req.body.user, pwd: req.body.pwd }) is not affected.

Patches

Patches have been released for all supported Mongoose release lines:

^6.13.9
^7.8.9
^8.22.1
^9.1.6

Workarounds

Delete $nor keys, use an additional schema validation library, or write middleware to strip out $nor from query filters.

Resources

sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()

Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "mongoose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "6.13.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.8.8"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mongoose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.8.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.22.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mongoose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 9.1.5"
      },
      "package": {
        "ecosystem": "npm",
        "name": "mongoose"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42334"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T21:48:06Z",
    "nvd_published_at": "2026-05-14T18:16:47Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThis vulnerability allows bypassing Mongoose\u2019s sanitizeFilter query sanitization mechanism via the `$nor` operator.\n\nWhen sanitizeFilter is enabled, Mongoose wraps query operators in `$eq` to neutralize them. However, prior to the fix, `$nor` was not included in the set of logical operators that are recursively sanitized. Because `$nor` accepts an array (like `$and` and `$or`), and arrays do not trigger `hasDollarKeys()`, malicious operators such as `$ne`, `$gt`, or `$regex` could be injected inside a `$nor` clause without being sanitized.\n\nThis may lead to:\n\n- Authentication bypass\n- Unauthorized data access\n- Data exfiltration\n\n**Affected users:**\n\nApplications that:\n\n- Explicitly enable sanitizeFilter\n- Pass unsanitized user-controlled input directly into query methods (e.g., `Model.findOne(req.body)`) and rely on `sanitizeFilter` to strip out query selectors\n\nApplications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, `Model.findOne({ user: req.body.user, pwd: req.body.pwd })` is not affected.\n\n### Patches\n\nPatches have been released for all supported Mongoose release lines:\n\n- `^6.13.9`\n- `^7.8.9`\n- `^8.22.1`\n- `^9.1.6`   \n\n### Workarounds\n\nDelete `$nor` keys, use an additional schema validation library, or write middleware to strip out `$nor` from query filters.\n\n### Resources\n\nsanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()\n\nOriginal blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html",
  "id": "GHSA-wpg9-53fq-2r8h",
  "modified": "2026-05-14T20:53:38Z",
  "published": "2026-05-05T21:48:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42334"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Automattic/mongoose"
    },
    {
      "type": "WEB",
      "url": "https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()"
    },
    {
      "type": "WEB",
      "url": "https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mongoose\u0027s Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection"
}

CVE-2026-42334 (GCVE-0-2026-42334)

Vulnerability from cvelistv5 – Published: 2026-05-14 18:03 – Updated: 2026-05-14 18:18

Title

Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Summary

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/Automattic/mongoose/security/a…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
Automattic	mongoose	Affected: < 6.13.9 Affected: >= 7.0.0, <= 7.8.8 Affected: >= 8.0.0, <= 8.22.0 Affected: >= 9.0.0, <= 9.1.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42334",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T18:17:58.426797Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T18:18:06.935Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mongoose",
          "vendor": "Automattic",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 6.13.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c= 7.8.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c= 8.22.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c= 9.1.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose\u2019s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T18:03:43.196Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h"
        }
      ],
      "source": {
        "advisory": "GHSA-wpg9-53fq-2r8h",
        "discovery": "UNKNOWN"
      },
      "title": "Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42334",
    "datePublished": "2026-05-14T18:03:43.196Z",
    "dateReserved": "2026-04-26T13:26:14.514Z",
    "dateUpdated": "2026-05-14T18:18:06.935Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted