CVE-2026-42334
Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
CVSS Details
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Threat Intelligence
Weaknesses 1
Affected Products 4
| Vendor | Product | Version | Range |
|---|---|---|---|
| mongoosejs | mongoose | * | <6.13.9 |
| mongoosejs | mongoose | * | ≥7.0.0 – <7.8.9 |
| mongoosejs | mongoose | * | ≥8.0.0 – <8.22.1 |
| mongoosejs | mongoose | * | ≥9.0.0 – <9.1.6 |
References 1
- github.com https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.