CVE-2026-42334

HIGH

Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection

Title source: cna

Description

Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 14.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-74

Status published

Products (9)

Automattic/mongoose < 6.13.9

Automattic/mongoose >= 7.0.0, <= 7.8.8

Automattic/mongoose >= 8.0.0, <= 8.22.0

Automattic/mongoose >= 9.0.0, <= 9.1.5

mongoosejs/mongoose < 6.13.9

npm/mongoose 0 - 6.13.9npm

npm/mongoose 7.0.0 - 7.8.9npm

npm/mongoose 8.0.0 - 8.22.1npm

npm/mongoose 9.0.0 - 9.1.6npm

Published May 14, 2026

Tracked Since May 15, 2026