Valeri Karpov

7 exploits Active since Oct 2019
CVE-2024-53900 WRITEUP CRITICAL WRITEUP
mongoosejs/mongoose < 6.13.5 and >=8.0.0-rc0 <8.8.3 - Search Injection via $where in Match
Mongoose before 8.8.3 can improperly use $where in match, leading to search injection.
CVSS 9.1
CVE-2025-23061 WRITEUP CRITICAL WRITEUP
mongoose < 6.13.6 and 8.0.0-rc0-8.9.5 - Search Injection via Nested $where Filter with Populate Match
Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVSS 9.0
CVE-2019-17426 WRITEUP CRITICAL WRITEUP
Automattic Mongoose <5.7.4 - Auth Bypass
Automattic Mongoose through 5.7.4 allows attackers to bypass access control (in some applications) because any query object with a _bsontype attribute is ignored. For example, adding "_bsontype":"a" can sometimes interfere with a query filter. NOTE: this CVE is about Mongoose's failure to work around this _bsontype special case that exists in older versions of the bson parser (aka the mongodb/js-bson project).
CVSS 9.1
CVE-2020-35149 WRITEUP MEDIUM WRITEUP
mquery < 3.2.3 - Prototype Pollution via Merge/Clone Operation
lib/utils.js in mquery before 3.2.3 allows a pollution attack because a special property (e.g., __proto__) can be copied during a merge or clone operation.
CVSS 5.3
CVE-2021-23438 WRITEUP MEDIUM WRITEUP
mpath < 0.8.4 - Type Confusion via Array IndexOf Bypass
This affects the package mpath before 0.8.4. A type confusion vulnerability can lead to a bypass of CVE-2018-16490. In particular, the condition ignoreProperties.indexOf(parts[i]) !== -1 returns -1 if parts[i] is ['__proto__']. This is because the method that has been called if the input is an array is Array.prototype.indexOf() and not String.prototype.indexOf(). They behave differently depending on the type of the input.
CVSS 5.6
CVE-2022-2564 WRITEUP CRITICAL WRITEUP
automattic/mongoose <6.4.6 - Info Disclosure
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.
CVSS 9.8
CVE-2023-3696 WRITEUP CRITICAL WRITEUP
mongoose < 5.13.20 and 7.0.0-7.3.3 - Prototype Pollution
Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.4.
CVSS 9.8