Description
Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
Published: 2026-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mongoose implements the sanitizeFilter option to wrap query operators in $eq and neutralize them before the query is sent to MongoDB. Prior to the security fix, the $nor logical operator was omitted from the list of operators that received recursive sanitization. Because $nor accepts an array payload, the presence of the operator bypasses the hasDollarKeys check that would normally remove other injection vectors such as $ne, $gt, or $regex. The result is a NoSQL injection vulnerability that allows an attacker to inject malicious query operators and craft arbitrary queries that can read, modify, or delete application data without authorization.

Affected Systems

The issue affects applications using Automattic’s Mongoose library versions earlier than 6.13.9, 7.8.9, 8.22.1, or 9.1.6. Any deployment that incorporates one of these vulnerable releases and enables sanitizeFilter can be exposed to the described injection attack.

Risk and Exploitability

The vulnerability is rated CVSS 7.5, indicating a high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through any user‑controlled query building that passes through Mongoose’s sanitizeFilter. If an application accepts untrusted input for query filters, an attacker could embed a $nor clause containing injected operators, achieving unauthorized data retrieval or manipulation. The lack of an EPSS score does not imply low risk; the vulnerability remains exploitable whenever the conditions are met.

Generated by OpenCVE AI on May 14, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mongoose 6.13.9, 7.8.9, 8.22.1, or 9.1.6 or later to apply the official patch.
  • If an immediate upgrade is not possible, audit and remove any code that constructs unguarded $nor clauses; enforce the sanitizeFilter option programmatically so that it cannot be bypassed.
  • Review all query construction logic to ensure that no user‑supplied data reaches Mongoose without passing through sanitizeFilter or equivalent server‑side validation.

Generated by OpenCVE AI on May 14, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wpg9-53fq-2r8h Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
History

Fri, 15 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongoosejs
Mongoosejs mongoose
CPEs cpe:2.3:a:mongoosejs:mongoose:*:*:*:*:*:node.js:*:*
Vendors & Products Mongoosejs
Mongoosejs mongoose

Thu, 14 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Automattic
Automattic mongoose
Vendors & Products Automattic
Automattic mongoose

Thu, 14 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.
Title Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Automattic Mongoose
Mongoosejs Mongoose
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T18:18:06.935Z

Reserved: 2026-04-26T13:26:14.514Z

Link: CVE-2026-42334

cve-icon Vulnrichment

Updated: 2026-05-14T18:18:02.203Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-14T18:16:47.747

Modified: 2026-05-15T18:25:21.933

Link: CVE-2026-42334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T19:30:26Z

Weaknesses