Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 2 npm packages depend on mongoose (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 7.0.0.
DescriptionGitHub Advisory
Impact
This vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator.
When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized.
This may lead to:
- Authentication bypass
- Unauthorized data access
- Data exfiltration
Affected users:
Applications that:
- Explicitly enable sanitizeFilter
- Pass unsanitized user-controlled input directly into query methods (e.g.,
Model.findOne(req.body)) and rely onsanitizeFilterto strip out query selectors
Applications that validate input schemas, whitelist fields, or avoid passing raw request bodies into queries are not affected. For example, Model.findOne({ user: req.body.user, pwd: req.body.pwd }) is not affected.
Patches
Patches have been released for all supported Mongoose release lines:
^6.13.9^7.8.9^8.22.1^9.1.6
Workarounds
Delete $nor keys, use an additional schema validation library, or write middleware to strip out $nor from query filters.
Resources
sanitizeFilter documentation: https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()
Original blog post on sanitizeFilter: https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html
AnalysisAI
Authentication bypass in Mongoose 6.x-9.x allows remote attackers to inject malicious MongoDB query operators via the $nor clause when sanitizeFilter is enabled. The vulnerability exists because Mongoose's sanitizeFilter mechanism fails to recursively sanitize the $nor logical operator, allowing injection of operators like $ne, $gt, or $regex that bypass authentication checks or extract unauthorized data. This affects only applications that explicitly enable sanitizeFilter and pass unsanitized user input directly into query methods while relying on sanitizeFilter for protection. Vendor-released patches are available for all supported release lines. No public exploit identified at time of analysis, though exploitation is straightforward for affected configurations.
Technical ContextAI
Mongoose is a MongoDB object data modeling (ODM) library for Node.js applications. The sanitizeFilter feature, introduced in Mongoose 6, is designed to prevent NoSQL injection by wrapping MongoDB query operators (e.g., $ne, $gt, $regex) in $eq to neutralize them. The vulnerability stems from an incomplete implementation of recursive sanitization logic for MongoDB's logical operators. While $and and $or were properly handled, $nor was omitted from the recursive sanitization routine. Because $nor accepts an array of conditions (similar to $and/$or) and arrays do not trigger Mongoose's hasDollarKeys() detection function, attackers can nest malicious query operators inside $nor clauses. The root cause aligns with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) - specifically, incomplete sanitization of MongoDB-specific query syntax. This is a logic flaw in Mongoose's security feature implementation, not a MongoDB vulnerability.
RemediationAI
Upgrade Mongoose to patched versions immediately if you meet the affected configuration criteria: 6.13.9 or later for 6.x users, 7.8.9 or later for 7.x users, 8.22.1 or later for 8.x users, or 9.1.6 or later for 9.x users. These patch versions are confirmed by the GitHub security advisory GHSA-wpg9-53fq-2r8h. If immediate upgrade is not feasible, implement one of these compensating controls: (1) Add middleware to strip $nor keys from all incoming query filters before they reach Mongoose query methods - this prevents the attack vector entirely but may break legitimate use of $nor in your application logic; (2) Replace direct req.body passthrough with explicit field mapping (e.g., change Model.findOne(req.body) to Model.findOne({ username: req.body.username, password: req.body.password })) - this is the recommended long-term secure coding practice and eliminates reliance on sanitizeFilter; (3) Implement schema validation using libraries like Joi, Yup, or express-validator to whitelist allowed fields and reject MongoDB operators before queries execute - adds defense-in-depth but increases request processing overhead. Note that disabling sanitizeFilter is NOT a viable workaround as it would expose other injection vectors. Advisory and documentation available at https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter() and https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30349
GHSA-wpg9-53fq-2r8h